Result Details
Install AIDExccdf_org.ssgproject.content_rule_package_aide_installed mediumCCE-80844-4
Install AIDE
| Rule ID | xccdf_org.ssgproject.content_rule_package_aide_installed |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-package_aide_installed:def:1 |
| Time | 2021-08-12T02:37:18+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-80844-4 References:
BP28(R51), 1.4.1, 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150 |
| Description | The aide package can be installed with the following command:
$ sudo yum install aide |
| Rationale | The AIDE package must be installed if it is to be available for integrity checking. |
OVAL test results detailspackage aide is installed
oval:ssg-test_package_aide_installed:tst:1
true
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| aide | x86_64 | (none) | 14.el8 | 0.16 | 0:0.16-14.el8 | 199e2f91fd431d51 | aide-0:0.16-14.el8.x86_64 |
Configure Notification of Post-AIDE Scan Detailsxccdf_org.ssgproject.content_rule_aide_scan_notification mediumCCE-82891-3
Configure Notification of Post-AIDE Scan Details
| Rule ID | xccdf_org.ssgproject.content_rule_aide_scan_notification |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-aide_scan_notification:def:1 |
| Time | 2021-08-12T02:37:18+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-82891-3 References:
BP28(R51), 1, 11, 12, 13, 15, 16, 2, 3, 5, 7, 8, 9, BAI01.06, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS05.02, DSS05.05, DSS05.07, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, SR 6.2, SR 7.6, A.12.1.2, A.12.4.1, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, CM-6(a), CM-3(5), DE.CM-1, DE.CM-7, PR.IP-1, PR.IP-3, SRG-OS-000363-GPOS-00150, RHEL-08-010360, SV-230263r599732_rule |
| Description | AIDE should notify appropriate personnel of the details of a scan after the scan has been run.
If AIDE has already been configured for periodic execution in /etc/crontab, append the
following line to the existing AIDE line:
| /bin/mail -s "$(hostname) - AIDE Integrity Check" root@localhost
Otherwise, add the following line to /etc/crontab:
05 4 * * * root /usr/sbin/aide --check | /bin/mail -s "$(hostname) - AIDE Integrity Check" root@localhost
AIDE can be executed periodically through other means; this is merely one example. |
| Rationale | Unauthorized changes to the baseline configuration could make the system vulnerable
to various attacks or allow unauthorized access to the operating system. Changes to
operating system configurations can have unintended side effects, some of which may
be relevant to security.
Detecting such changes and providing an automated response can help avoid unintended,
negative consequences that could ultimately affect the security state of the operating
system. The operating system's Information Management Officer (IMO)/Information System
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. |
OVAL test results detailspackage aide is installed
oval:ssg-test_package_aide_installed:tst:1
true
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| aide | x86_64 | (none) | 14.el8 | 0.16 | 0:0.16-14.el8 | 199e2f91fd431d51 | aide-0:0.16-14.el8.x86_64 |
notify personnel when aide completes
oval:ssg-test_aide_scan_notification:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_test_aide_scan_notification:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/crontab | ^.*/usr/sbin/aide[\s]*\-\-check.*\|.*/bin/mail[\s]*-s[\s]*".*"[\s]*.+@.+$ | 1 |
notify personnel when aide completes
oval:ssg-test_aide_var_cron_notification:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /var/spool/cron/root | 0 5 * * * /usr/sbin/aide --check | /bin/mail -s "`hostname` - AIDE Integrity Check" root@localhost |
notify personnel when aide completes in cron.(daily|weekly|monthly)
oval:ssg-test_aide_crontabs_notification:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_aide_crontabs_notification:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| ^/etc/cron.(d|daily|weekly|monthly)$ | ^.*$ | ^.*/usr/sbin/aide[\s]*\-\-check.*\|.*/bin/mail[\s]*-s[\s]*".*"[\s]*.+@.+$ | 1 |
Configure AIDE to Verify Extended Attributesxccdf_org.ssgproject.content_rule_aide_verify_ext_attributes lowCCE-83733-6
Configure AIDE to Verify Extended Attributes
| Rule ID | xccdf_org.ssgproject.content_rule_aide_verify_ext_attributes |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-aide_verify_ext_attributes:def:1 |
| Time | 2021-08-12T02:37:18+00:00 |
| Severity | low |
| Identifiers and References | Identifiers:
CCE-83733-6 References:
BP28(R51), 2, 3, APO01.06, BAI03.05, BAI06.01, DSS06.02, CCI-000366, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, A.11.2.4, A.12.2.1, A.12.5.1, A.14.1.2, A.14.1.3, A.14.2.4, SI-7, SI-7(1), CM-6(a), PR.DS-6, PR.DS-8, SRG-OS-000480-GPOS-00227, RHEL-08-040300, SV-230551r599732_rule |
| Description | By default, the xattrs option is added to the FIPSR ruleset in AIDE.
If using a custom ruleset or the xattrs option is missing, add xattrs
to the appropriate ruleset.
For example, add xattrs to the following line in /etc/aide.conf:
FIPSR = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha256
AIDE rules can be configured in multiple ways; this is merely one example that is already
configured by default. |
| Rationale | Extended attributes in file systems are used to contain arbitrary data and file metadata
with security implications. |
OVAL test results detailspackage aide is installed
oval:ssg-test_package_aide_installed:tst:1
true
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| aide | x86_64 | (none) | 14.el8 | 0.16 | 0:0.16-14.el8 | 199e2f91fd431d51 | aide-0:0.16-14.el8.x86_64 |
xattrs is set in /etc/aide.conf
oval:ssg-test_aide_verify_ext_attributes:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/aide.conf | EVERYTHING = R+ALLXTRAHASHES+xattrs+acl+sha512 |
| /etc/aide.conf | NORMAL = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha512 |
| /etc/aide.conf | DIR = p+i+n+u+g+acl+selinux+xattrs+sha512 |
| /etc/aide.conf | PERMS = p+u+g+acl+selinux+xattrs+sha512 |
| /etc/aide.conf | LOG = p+u+g+n+S+acl+selinux+xattrs+sha512 |
| /etc/aide.conf | CONTENT = sha512+ftype+xattrs+acl |
| /etc/aide.conf | CONTENT_EX = sha512+ftype+p+u+g+n+acl+selinux+xattrs |
| /etc/aide.conf | DATAONLY = p+n+u+g+s+acl+selinux+xattrs+sha512 |
Configure AIDE to Verify Access Control Lists (ACLs)xccdf_org.ssgproject.content_rule_aide_verify_acls lowCCE-84220-3
Configure AIDE to Verify Access Control Lists (ACLs)
| Rule ID | xccdf_org.ssgproject.content_rule_aide_verify_acls |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-aide_verify_acls:def:1 |
| Time | 2021-08-12T02:37:18+00:00 |
| Severity | low |
| Identifiers and References | Identifiers:
CCE-84220-3 References:
BP28(R51), 2, 3, APO01.06, BAI03.05, BAI06.01, DSS06.02, CCI-000366, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, A.11.2.4, A.12.2.1, A.12.5.1, A.14.1.2, A.14.1.3, A.14.2.4, SI-7, SI-7(1), CM-6(a), PR.DS-6, PR.DS-8, SRG-OS-000480-GPOS-00227, RHEL-08-040310, SV-230552r599732_rule |
| Description | By default, the acl option is added to the FIPSR ruleset in AIDE.
If using a custom ruleset or the acl option is missing, add acl
to the appropriate ruleset.
For example, add acl to the following line in /etc/aide.conf:
FIPSR = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha256
AIDE rules can be configured in multiple ways; this is merely one example that is already
configured by default. |
| Rationale | ACLs can provide permissions beyond those permitted through the file mode and must be
verified by the file integrity tools. |
OVAL test results detailspackage aide is installed
oval:ssg-test_package_aide_installed:tst:1
true
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| aide | x86_64 | (none) | 14.el8 | 0.16 | 0:0.16-14.el8 | 199e2f91fd431d51 | aide-0:0.16-14.el8.x86_64 |
acl is set in /etc/aide.conf
oval:ssg-test_aide_verify_acls:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/aide.conf | EVERYTHING = R+ALLXTRAHASHES+xattrs+acl+sha512 |
| /etc/aide.conf | NORMAL = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha512 |
| /etc/aide.conf | DIR = p+i+n+u+g+acl+selinux+xattrs+sha512 |
| /etc/aide.conf | PERMS = p+u+g+acl+selinux+xattrs+sha512 |
| /etc/aide.conf | LOG = p+u+g+n+S+acl+selinux+xattrs+sha512 |
| /etc/aide.conf | CONTENT = sha512+ftype+xattrs+acl |
| /etc/aide.conf | CONTENT_EX = sha512+ftype+p+u+g+n+acl+selinux+xattrs |
| /etc/aide.conf | DATAONLY = p+n+u+g+s+acl+selinux+xattrs+sha512 |
Enable FIPS Modexccdf_org.ssgproject.content_rule_enable_fips_mode highCCE-80942-6
Enable FIPS Mode
| Rule ID | xccdf_org.ssgproject.content_rule_enable_fips_mode |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-enable_fips_mode:def:1 |
| Time | 2021-08-12T02:37:18+00:00 |
| Severity | high |
| Identifiers and References | Identifiers:
CCE-80942-6 References:
CCI-000068, CCI-000803, CCI-002450, 1446, SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12, FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000478-GPOS-00223, SRG-OS-000396-GPOS-00176, RHEL-08-010020, SV-230223r599732_rule, SRG-OS-000120-VMM-000600, SRG-OS-000478-VMM-001980, SRG-OS-000396-VMM-001590 |
| Description | To enable FIPS mode, run the following command:
fips-mode-setup --enable
The fips-mode-setup command will configure the system in
FIPS mode by automatically configuring the following:
- Setting the kernel FIPS mode flag (
/proc/sys/crypto/fips_enabled) to 1 - Creating
/etc/system-fips - Setting the system crypto policy in
/etc/crypto-policies/config to FIPS - Loading the Dracut
fips module
Furthermore, the system running in FIPS mode should be FIPS certified by NIST. |
| Rationale | Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to
protect data. The operating system must implement cryptographic modules adhering to the higher
standards approved by the federal government since this provides assurance they have been tested
and validated. |
| Warnings | warning
The system needs to be rebooted for these changes to take effect. warning
System Crypto Modules must be provided by a vendor that undergoes
FIPS-140 certifications.
FIPS-140 is applicable to all Federal agencies that use
cryptographic-based security systems to protect sensitive information
in computer and telecommunication systems (including voice systems) as
defined in Section 5131 of the Information Technology Management Reform
Act of 1996, Public Law 104-106. This standard shall be used in
designing and implementing cryptographic modules that Federal
departments and agencies operate or are operated for them under
contract. See https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf
To meet this, the system has to have cryptographic software provided by
a vendor that has undergone this certification. This means providing
documentation, test results, design information, and independent third
party review by an accredited lab. While open source software is
capable of meeting this, it does not meet FIPS-140 unless the vendor
submits to this process. |
OVAL test results details/etc/system-fips exists
oval:ssg-test_etc_system_fips:tst:1
true
Following items have been found on the system:
| Path | Type | UID | GID | Size (B) | Permissions |
|---|
| /etc/system-fips | regular | 0 | 0 | 36 | rw-r--r-- |
kernel runtime parameter crypto.fips_enabled set to 1
oval:ssg-test_sysctl_crypto_fips_enabled:tst:1
true
Following items have been found on the system:
| Name | Value |
|---|
| crypto.fips_enabled | 1 |
add_dracutmodules contains fips
oval:ssg-test_enable_dracut_fips_module:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/dracut.conf.d/40-fips.conf |
add_dracutmodules+=" fips "
|
check for crypto policy correctly configured in /etc/crypto-policies/config
oval:ssg-test_configure_crypto_policy:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/crypto-policies/config | FIPS |
check for crypto policy correctly configured in /etc/crypto-policies/state/current
oval:ssg-test_configure_crypto_policy_current:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/crypto-policies/state/current | FIPS |
Check if update-crypto-policies has been run
oval:ssg-test_crypto_policies_updated:tst:1
true
Following items have been found on the system:
| Var ref | Value |
|---|
| oval:ssg-variable_crypto_policies_config_file_timestamp:var:1 | 1628732255 |
Check if /etc/crypto-policies/back-ends/nss.config exists
oval:ssg-test_crypto_policy_nss_config:tst:1
true
Following items have been found on the system:
| Path | Type | UID | GID | Size (B) | Permissions |
|---|
| /etc/crypto-policies/back-ends/nss.config | regular | 0 | 0 | 391 | rw-r--r-- |
installed OS part of unix family
oval:ssg-test_rhel7_unix_family:tst:1
not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_unix_family:obj:1 of type
family_object
installed OS part of unix family
oval:ssg-test_rhel7_unix_family:tst:1
true
Following items have been found on the system:
redhat-release-client is version 7
oval:ssg-test_rhel7_client:tst:1
not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_client:obj:1 of type
rpminfo_object
| Name |
|---|
| redhat-release-client |
redhat-release-client is version 7
oval:ssg-test_rhel7_client:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_client:obj:1 of type
rpminfo_object
| Name |
|---|
| redhat-release-client |
redhat-release-workstation is version 7
oval:ssg-test_rhel7_workstation:tst:1
not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_workstation:obj:1 of type
rpminfo_object
| Name |
|---|
| redhat-release-workstation |
redhat-release-workstation is version 7
oval:ssg-test_rhel7_workstation:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_workstation:obj:1 of type
rpminfo_object
| Name |
|---|
| redhat-release-workstation |
redhat-release-server is version 7
oval:ssg-test_rhel7_server:tst:1
not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_server:obj:1 of type
rpminfo_object
| Name |
|---|
| redhat-release-server |
redhat-release-server is version 7
oval:ssg-test_rhel7_server:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_server:obj:1 of type
rpminfo_object
| Name |
|---|
| redhat-release-server |
redhat-release-computenode is version 7
oval:ssg-test_rhel7_computenode:tst:1
not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_computenode:obj:1 of type
rpminfo_object
| Name |
|---|
| redhat-release-computenode |
redhat-release-computenode is version 7
oval:ssg-test_rhel7_computenode:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_computenode:obj:1 of type
rpminfo_object
| Name |
|---|
| redhat-release-computenode |
redhat-release-virtualization-host RPM package is installed
oval:ssg-test_rhvh4_version:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhvh4_version:obj:1 of type
rpminfo_object
| Name |
|---|
| redhat-release-virtualization-host |
redhat-release-virtualization-host RPM package is installed
oval:ssg-test_rhvh4_version:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhvh4_version:obj:1 of type
rpminfo_object
| Name |
|---|
| redhat-release-virtualization-host |
RHEVH base RHEL is version 7
oval:ssg-test_rhevh_rhel7_version:tst:1
not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhevh_rhel7_version:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/redhat-release | ^Red Hat Enterprise Linux release (\d)\.\d+$ | 1 |
RHEVH base RHEL is version 7
oval:ssg-test_rhevh_rhel7_version:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhevh_rhel7_version:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/redhat-release | ^Red Hat Enterprise Linux release (\d)\.\d+$ | 1 |
installed OS part of unix family
oval:ssg-test_rhel7_unix_family:tst:1
not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_unix_family:obj:1 of type
family_object
installed OS part of unix family
oval:ssg-test_rhel7_unix_family:tst:1
true
Following items have been found on the system:
redhat-release-client is version 7
oval:ssg-test_rhel7_client:tst:1
not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_client:obj:1 of type
rpminfo_object
| Name |
|---|
| redhat-release-client |
redhat-release-client is version 7
oval:ssg-test_rhel7_client:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_client:obj:1 of type
rpminfo_object
| Name |
|---|
| redhat-release-client |
redhat-release-workstation is version 7
oval:ssg-test_rhel7_workstation:tst:1
not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_workstation:obj:1 of type
rpminfo_object
| Name |
|---|
| redhat-release-workstation |
redhat-release-workstation is version 7
oval:ssg-test_rhel7_workstation:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_workstation:obj:1 of type
rpminfo_object
| Name |
|---|
| redhat-release-workstation |
redhat-release-server is version 7
oval:ssg-test_rhel7_server:tst:1
not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_server:obj:1 of type
rpminfo_object
| Name |
|---|
| redhat-release-server |
redhat-release-server is version 7
oval:ssg-test_rhel7_server:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_server:obj:1 of type
rpminfo_object
| Name |
|---|
| redhat-release-server |
redhat-release-computenode is version 7
oval:ssg-test_rhel7_computenode:tst:1
not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_computenode:obj:1 of type
rpminfo_object
| Name |
|---|
| redhat-release-computenode |
redhat-release-computenode is version 7
oval:ssg-test_rhel7_computenode:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_computenode:obj:1 of type
rpminfo_object
| Name |
|---|
| redhat-release-computenode |
redhat-release-virtualization-host RPM package is installed
oval:ssg-test_rhvh4_version:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhvh4_version:obj:1 of type
rpminfo_object
| Name |
|---|
| redhat-release-virtualization-host |
redhat-release-virtualization-host RPM package is installed
oval:ssg-test_rhvh4_version:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhvh4_version:obj:1 of type
rpminfo_object
| Name |
|---|
| redhat-release-virtualization-host |
RHEVH base RHEL is version 7
oval:ssg-test_rhevh_rhel7_version:tst:1
not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhevh_rhel7_version:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/redhat-release | ^Red Hat Enterprise Linux release (\d)\.\d+$ | 1 |
RHEVH base RHEL is version 7
oval:ssg-test_rhevh_rhel7_version:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhevh_rhel7_version:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/redhat-release | ^Red Hat Enterprise Linux release (\d)\.\d+$ | 1 |
installed OS part of unix family
oval:ssg-test_rhel8_unix_family:tst:1
true
Following items have been found on the system:
installed OS part of unix family
oval:ssg-test_rhel8_unix_family:tst:1
true
Following items have been found on the system:
redhat-release is version 8
oval:ssg-test_rhel8:tst:1
true
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| redhat-release | x86_64 | (none) | 0.6.el8 | 8.4 | 0:8.4-0.6.el8 | 199e2f91fd431d51 | redhat-release-0:8.4-0.6.el8.x86_64 |
redhat-release is version 8
oval:ssg-test_rhel8:tst:1
true
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| redhat-release | x86_64 | (none) | 0.6.el8 | 8.4 | 0:8.4-0.6.el8 | 199e2f91fd431d51 | redhat-release-0:8.4-0.6.el8.x86_64 |
redhat-release-virtualization-host RPM package is installed
oval:ssg-test_rhvh4_version:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhvh4_version:obj:1 of type
rpminfo_object
| Name |
|---|
| redhat-release-virtualization-host |
redhat-release-virtualization-host RPM package is installed
oval:ssg-test_rhvh4_version:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhvh4_version:obj:1 of type
rpminfo_object
| Name |
|---|
| redhat-release-virtualization-host |
RHEVH base RHEL is version 8
oval:ssg-test_rhevh_rhel8_version:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhevh_rhel8_version:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/redhat-release | ^Red Hat Enterprise Linux release (\d)\.\d+$ | 1 |
RHEVH base RHEL is version 8
oval:ssg-test_rhevh_rhel8_version:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhevh_rhel8_version:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/redhat-release | ^Red Hat Enterprise Linux release (\d)\.\d+$ | 1 |
installed OS part of unix family
oval:ssg-test_rhel8_unix_family:tst:1
true
Following items have been found on the system:
installed OS part of unix family
oval:ssg-test_rhel8_unix_family:tst:1
true
Following items have been found on the system:
redhat-release is version 8
oval:ssg-test_rhel8:tst:1
true
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| redhat-release | x86_64 | (none) | 0.6.el8 | 8.4 | 0:8.4-0.6.el8 | 199e2f91fd431d51 | redhat-release-0:8.4-0.6.el8.x86_64 |
redhat-release is version 8
oval:ssg-test_rhel8:tst:1
true
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| redhat-release | x86_64 | (none) | 0.6.el8 | 8.4 | 0:8.4-0.6.el8 | 199e2f91fd431d51 | redhat-release-0:8.4-0.6.el8.x86_64 |
redhat-release-virtualization-host RPM package is installed
oval:ssg-test_rhvh4_version:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhvh4_version:obj:1 of type
rpminfo_object
| Name |
|---|
| redhat-release-virtualization-host |
redhat-release-virtualization-host RPM package is installed
oval:ssg-test_rhvh4_version:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhvh4_version:obj:1 of type
rpminfo_object
| Name |
|---|
| redhat-release-virtualization-host |
RHEVH base RHEL is version 8
oval:ssg-test_rhevh_rhel8_version:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhevh_rhel8_version:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/redhat-release | ^Red Hat Enterprise Linux release (\d)\.\d+$ | 1 |
RHEVH base RHEL is version 8
oval:ssg-test_rhevh_rhel8_version:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhevh_rhel8_version:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/redhat-release | ^Red Hat Enterprise Linux release (\d)\.\d+$ | 1 |
os-release is rhcos
oval:ssg-test_rhcos:tst:1
not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhcos:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/os-release | ^ID="(\w+)"$ | 1 |
os-release is rhcos
oval:ssg-test_rhcos:tst:1
false
Following items have been found on the system:
| Path | Content |
|---|
| /etc/os-release | ID="rhel" |
rhcoreos is version 4
oval:ssg-test_rhcos4:tst:1
not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhcos4:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/os-release | ^VERSION_ID="(\d)\.\d+"$ | 1 |
rhcoreos is version 4
oval:ssg-test_rhcos4:tst:1
false
Following items have been found on the system:
| Path | Content |
|---|
| /etc/os-release | VERSION_ID="8.4" |
os-release is rhcos
oval:ssg-test_rhcos:tst:1
not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhcos:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/os-release | ^ID="(\w+)"$ | 1 |
os-release is rhcos
oval:ssg-test_rhcos:tst:1
false
Following items have been found on the system:
| Path | Content |
|---|
| /etc/os-release | ID="rhel" |
rhcoreos is version 4
oval:ssg-test_rhcos4:tst:1
not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhcos4:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/os-release | ^VERSION_ID="(\d)\.\d+"$ | 1 |
rhcoreos is version 4
oval:ssg-test_rhcos4:tst:1
false
Following items have been found on the system:
| Path | Content |
|---|
| /etc/os-release | VERSION_ID="8.4" |
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type
family_object
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true
Following items have been found on the system:
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type
family_object
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true
Following items have been found on the system:
oraclelinux-release is version 7
oval:ssg-test_ol7_system:tst:1
not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_ol7_system:obj:1 of type
rpminfo_object
oraclelinux-release is version 7
oval:ssg-test_ol7_system:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_ol7_system:obj:1 of type
rpminfo_object
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type
family_object
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true
Following items have been found on the system:
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type
family_object
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true
Following items have been found on the system:
oraclelinux-release is version 7
oval:ssg-test_ol7_system:tst:1
not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_ol7_system:obj:1 of type
rpminfo_object
oraclelinux-release is version 7
oval:ssg-test_ol7_system:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_ol7_system:obj:1 of type
rpminfo_object
tests if var_system_crypto_policy is set to FIPS
oval:ssg-test_system_crypto_policy_value:tst:1
true
Following items have been found on the system:
| Var ref | Value |
|---|
| oval:ssg-var_system_crypto_policy:var:1 | FIPS |
Set kernel parameter 'crypto.fips_enabled' to 1xccdf_org.ssgproject.content_rule_sysctl_crypto_fips_enabled highCCE-84027-2
Set kernel parameter 'crypto.fips_enabled' to 1
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_crypto_fips_enabled |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sysctl_crypto_fips_enabled:def:1 |
| Time | 2021-08-12T02:37:18+00:00 |
| Severity | high |
| Identifiers and References | Identifiers:
CCE-84027-2 References:
CCI-000068, CCI-000803, CCI-002450, SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12, SRG-OS-000033-GPOS-00014, SRG-OS-000125-GPOS-00065, SRG-OS-000396-GPOS-00176, SRG-OS-000423-GPOS-00187, SRG-OS-000478-GPOS-00223, SRG-OS-000120-VMM-000600, SRG-OS-000478-VMM-001980, SRG-OS-000396-VMM-001590 |
| Description | System running in FIPS mode is indicated by kernel parameter
'crypto.fips_enabled'. This parameter should be set to 1
in FIPS mode.
To enable FIPS mode, run the following command:
fips-mode-setup --enable |
| Rationale | Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to
protect data. The operating system must implement cryptographic modules adhering to the higher
standards approved by the federal government since this provides assurance they have been tested
and validated. |
| Warnings | warning
The system needs to be rebooted for these changes to take effect. warning
System Crypto Modules must be provided by a vendor that undergoes
FIPS-140 certifications.
FIPS-140 is applicable to all Federal agencies that use
cryptographic-based security systems to protect sensitive information
in computer and telecommunication systems (including voice systems) as
defined in Section 5131 of the Information Technology Management Reform
Act of 1996, Public Law 104-106. This standard shall be used in
designing and implementing cryptographic modules that Federal
departments and agencies operate or are operated for them under
contract. See https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf
To meet this, the system has to have cryptographic software provided by
a vendor that has undergone this certification. This means providing
documentation, test results, design information, and independent third
party review by an accredited lab. While open source software is
capable of meeting this, it does not meet FIPS-140 unless the vendor
submits to this process. |
OVAL test results detailskernel runtime parameter crypto.fips_enabled set to 1
oval:ssg-test_sysctl_crypto_fips_enabled:tst:1
true
Following items have been found on the system:
| Name | Value |
|---|
| crypto.fips_enabled | 1 |
Enable Dracut FIPS Modulexccdf_org.ssgproject.content_rule_enable_dracut_fips_module mediumCCE-82155-3
Enable Dracut FIPS Module
| Rule ID | xccdf_org.ssgproject.content_rule_enable_dracut_fips_module |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-enable_dracut_fips_module:def:1 |
| Time | 2021-08-12T02:37:18+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-82155-3 References:
CCI-000068, CCI-000803, CCI-002450, 1446, SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12, SRG-OS-000478-GPOS-00223, SRG-OS-000120-VMM-000600, SRG-OS-000478-VMM-001980, SRG-OS-000396-VMM-001590 |
| Description | To enable FIPS mode, run the following command:
fips-mode-setup --enable
To enable FIPS, the system requires that the fips module is added in
dracut configuration.
Check if /etc/dracut.conf.d/40-fips.conf contain add_dracutmodules+=" fips " |
| Rationale | Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to
protect data. The operating system must implement cryptographic modules adhering to the higher
standards approved by the federal government since this provides assurance they have been tested
and validated. |
| Warnings | warning
The system needs to be rebooted for these changes to take effect. warning
System Crypto Modules must be provided by a vendor that undergoes
FIPS-140 certifications.
FIPS-140 is applicable to all Federal agencies that use
cryptographic-based security systems to protect sensitive information
in computer and telecommunication systems (including voice systems) as
defined in Section 5131 of the Information Technology Management Reform
Act of 1996, Public Law 104-106. This standard shall be used in
designing and implementing cryptographic modules that Federal
departments and agencies operate or are operated for them under
contract. See https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf
To meet this, the system has to have cryptographic software provided by
a vendor that has undergone this certification. This means providing
documentation, test results, design information, and independent third
party review by an accredited lab. While open source software is
capable of meeting this, it does not meet FIPS-140 unless the vendor
submits to this process. |
OVAL test results detailsadd_dracutmodules contains fips
oval:ssg-test_enable_dracut_fips_module:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/dracut.conf.d/40-fips.conf |
add_dracutmodules+=" fips "
|
Configure Kerberos to use System Crypto Policyxccdf_org.ssgproject.content_rule_configure_kerberos_crypto_policy mediumCCE-80936-8
Configure Kerberos to use System Crypto Policy
| Rule ID | xccdf_org.ssgproject.content_rule_configure_kerberos_crypto_policy |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-configure_kerberos_crypto_policy:def:1 |
| Time | 2021-08-12T02:37:18+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-80936-8 References:
0418, 1055, 1402, SC-13, SC-12(2), SC-12(3), SRG-OS-000120-GPOS-00061 |
| Description | Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
Kerberos is supported by crypto policy, but it's configuration may be
set up to ignore it.
To check that Crypto Policies settings for Kerberos are configured correctly, examine that there is a symlink at
/etc/krb5.conf.d/crypto-policies targeting /etc/cypto-policies/back-ends/krb5.config.
If the symlink exists, kerberos is configured to use the system-wide crypto policy settings. |
| Rationale | Overriding the system crypto policy makes the behavior of Kerberos violate expectations,
and makes system configuration more fragmented. |
OVAL test results detailsCheck if kerberos configuration symlink and crypto policy kerberos backend symlink point to same file
oval:ssg-test_configure_kerberos_crypto_policy_symlink:tst:1
true
Following items have been found on the system:
| Var ref | Value |
|---|
| oval:ssg-var_symlink_kerberos_crypto_policy_configuration:var:1 | /usr/share/crypto-policies/FIPS/krb5.txt |
Check if kerberos configuration symlink links to the crypto-policy backend file
oval:ssg-test_configure_kerberos_crypto_policy_nosymlink:tst:1
false
Following items have been found on the system:
| Var ref | Value |
|---|
| oval:ssg-var_symlink_kerberos_crypto_policy_configuration:var:1 | /usr/share/crypto-policies/FIPS/krb5.txt |
Configure System Cryptography Policyxccdf_org.ssgproject.content_rule_configure_crypto_policy highCCE-80935-0
Configure System Cryptography Policy
| Rule ID | xccdf_org.ssgproject.content_rule_configure_crypto_policy |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-configure_crypto_policy:def:1 |
| Time | 2021-08-12T02:37:18+00:00 |
| Severity | high |
| Identifiers and References | Identifiers:
CCE-80935-0 References:
1.10, 1.11, 1446, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174 |
| Description | To configure the system cryptography policy to use ciphers only from the FIPS
policy, run the following command:
$ sudo update-crypto-policies --set FIPS
The rule checks if settings for selected crypto policy are configured as expected. Configuration files in the /etc/crypto-policies/back-ends are either symlinks to correct files provided by Crypto-policies package or they are regular files in case crypto policy customizations are applied.
Crypto policies may be customized by crypto policy modules, in which case it is delimited from the base policy using a colon. |
| Rationale | Centralized cryptographic policies simplify applying secure ciphers across an operating system and
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. |
| Warnings | warning
The system needs to be rebooted for these changes to take effect. warning
System Crypto Modules must be provided by a vendor that undergoes
FIPS-140 certifications.
FIPS-140 is applicable to all Federal agencies that use
cryptographic-based security systems to protect sensitive information
in computer and telecommunication systems (including voice systems) as
defined in Section 5131 of the Information Technology Management Reform
Act of 1996, Public Law 104-106. This standard shall be used in
designing and implementing cryptographic modules that Federal
departments and agencies operate or are operated for them under
contract. See https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf
To meet this, the system has to have cryptographic software provided by
a vendor that has undergone this certification. This means providing
documentation, test results, design information, and independent third
party review by an accredited lab. While open source software is
capable of meeting this, it does not meet FIPS-140 unless the vendor
submits to this process. |
OVAL test results detailscheck for crypto policy correctly configured in /etc/crypto-policies/config
oval:ssg-test_configure_crypto_policy:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/crypto-policies/config | FIPS |
check for crypto policy correctly configured in /etc/crypto-policies/state/current
oval:ssg-test_configure_crypto_policy_current:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/crypto-policies/state/current | FIPS |
Check if update-crypto-policies has been run
oval:ssg-test_crypto_policies_updated:tst:1
true
Following items have been found on the system:
| Var ref | Value |
|---|
| oval:ssg-variable_crypto_policies_config_file_timestamp:var:1 | 1628732255 |
Check if /etc/crypto-policies/back-ends/nss.config exists
oval:ssg-test_crypto_policy_nss_config:tst:1
true
Following items have been found on the system:
| Path | Type | UID | GID | Size (B) | Permissions |
|---|
| /etc/crypto-policies/back-ends/nss.config | regular | 0 | 0 | 391 | rw-r--r-- |
Configure BIND to use System Crypto Policyxccdf_org.ssgproject.content_rule_configure_bind_crypto_policy mediumCCE-80934-3
Configure BIND to use System Crypto Policy
| Rule ID | xccdf_org.ssgproject.content_rule_configure_bind_crypto_policy |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-configure_bind_crypto_policy:def:1 |
| Time | 2021-08-12T02:37:18+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-80934-3 References:
SC-13, SC-12(2), SC-12(3), SRG-OS-000423-GPOS-00187, SRG-OS-000426-GPOS-00190 |
| Description | Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
BIND is supported by crypto policy, but the BIND configuration may be
set up to ignore it.
To check that Crypto Policies settings are configured correctly, ensure that the /etc/named.conf
includes the appropriate configuration:
In the options section of /etc/named.conf, make sure that the following line
is not commented out or superseded by later includes:
include "/etc/crypto-policies/back-ends/bind.config"; |
| Rationale | Overriding the system crypto policy makes the behavior of the BIND service violate expectations,
and makes system configuration more fragmented. |
OVAL test results detailspackage bind is removed
oval:ssg-test_package_bind_removed:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_bind_removed:obj:1 of type
rpminfo_object
Check that the configuration includes the policy config file.
oval:ssg-test_configure_bind_crypto_policy:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_configure_bind_crypto_policy:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/named.conf | ^\s*include\s+"/etc/crypto-policies/back-ends/bind.config"\s*;\s*$ | 1 |
Configure session renegotiation for SSH clientxccdf_org.ssgproject.content_rule_ssh_client_rekey_limit mediumCCE-82880-6
Configure session renegotiation for SSH client
| Rule ID | xccdf_org.ssgproject.content_rule_ssh_client_rekey_limit |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-ssh_client_rekey_limit:def:1 |
| Time | 2021-08-12T02:37:18+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-82880-6 References:
FCS_SSHS_EXT.1, SRG-OS-000423-GPOS-00187, RHEL-08-040162, SV-230528r599732_rule |
| Description | The RekeyLimit parameter specifies how often
the session key is renegotiated, both in terms of
amount of data that may be transmitted and the time
elapsed. To decrease the default limits, put line
RekeyLimit 1G 1h to file /etc/ssh/ssh_config.d/02-rekey-limit.conf.
Make sure that there is no other RekeyLimit configuration preceding
the include directive in the main config file
/etc/ssh/ssh_config. Check also other files in
/etc/ssh/ssh_config.d directory. Files are processed according to
lexicographical order of file names. Make sure that there is no file
processed before 02-rekey-limit.conf containing definition of
RekeyLimit. |
| Rationale | By decreasing the limit based on the amount of data and enabling
time-based limit, effects of potential attacks against
encryption keys are limited. |
OVAL test results detailstests the value of RekeyLimit setting in /etc/ssh/ssh_config file
oval:ssg-test_ssh_client_rekey_limit_main_config:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_ssh_client_rekey_limit_main_config:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/ssh/ssh_config | ^[\s]*RekeyLimit.*$ | 1 |
tests the value of RekeyLimit setting in /etc/ssh/ssh_config.d/*.conf
oval:ssg-test_ssh_client_rekey_limit_include_configs:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/ssh/ssh_config.d/02-rekey-limit.conf | RekeyLimit 1G 1h
|
Configure OpenSSL library to use System Crypto Policyxccdf_org.ssgproject.content_rule_configure_openssl_crypto_policy mediumCCE-80938-4
Configure OpenSSL library to use System Crypto Policy
| Rule ID | xccdf_org.ssgproject.content_rule_configure_openssl_crypto_policy |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-configure_openssl_crypto_policy:def:1 |
| Time | 2021-08-12T02:37:18+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-80938-4 References:
AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), SRG-OS-000250-GPOS-00093 |
| Description | Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
OpenSSL is supported by crypto policy, but the OpenSSL configuration may be
set up to ignore it.
To check that Crypto Policies settings are configured correctly, you have to examine the OpenSSL config file
available under /etc/pki/tls/openssl.cnf.
This file has the ini format, and it enables crypto policy support
if there is a [ crypto_policy ] section that contains the .include /etc/crypto-policies/back-ends/opensslcnf.config directive. |
| Rationale | Overriding the system crypto policy makes the behavior of the Java runtime violates expectations,
and makes system configuration more fragmented. |
OVAL test results detailsCheck that the configuration mandates usage of system-wide crypto policies.
oval:ssg-test_configure_openssl_crypto_policy:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/pki/tls/openssl.cnf |
[ crypto_policy ]
.include /etc/crypto-policies/back-ends/opensslcnf.config
|
Configure Libreswan to use System Crypto Policyxccdf_org.ssgproject.content_rule_configure_libreswan_crypto_policy mediumCCE-80937-6
Configure Libreswan to use System Crypto Policy
| Rule ID | xccdf_org.ssgproject.content_rule_configure_libreswan_crypto_policy |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-configure_libreswan_crypto_policy:def:1 |
| Time | 2021-08-12T02:37:18+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-80937-6 References:
CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_IPSEC_EXT.1.4, FCS_IPSEC_EXT.1.6, SRG-OS-000033-GPOS-00014 |
| Description | Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
Libreswan is supported by system crypto policy, but the Libreswan configuration may be
set up to ignore it.
To check that Crypto Policies settings are configured correctly, ensure that the /etc/ipsec.conf
includes the appropriate configuration file.
In /etc/ipsec.conf, make sure that the following line
is not commented out or superseded by later includes:
include /etc/crypto-policies/back-ends/libreswan.config |
| Rationale | Overriding the system crypto policy makes the behavior of the Libreswan
service violate expectations, and makes system configuration more
fragmented. |
OVAL test results detailspackage libreswan is installed
oval:ssg-test_package_libreswan_installed:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_libreswan_installed:obj:1 of type
rpminfo_object
Check that the libreswan configuration includes the crypto policy config file
oval:ssg-test_configure_libreswan_crypto_policy:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_configure_libreswan_crypto_policy:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/ipsec.conf | ^\s*include\s+/etc/crypto-policies/back-ends/libreswan.config\s*(?:#.*)?$ | 1 |
Configure SSH to use System Crypto Policyxccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy mediumCCE-80939-2
Configure SSH to use System Crypto Policy
| Rule ID | xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-configure_ssh_crypto_policy:def:1 |
| Time | 2021-08-12T02:37:18+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-80939-2 References:
5.2.20, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SRG-OS-000250-GPOS-00093 |
| Description | Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
SSH is supported by crypto policy, but the SSH configuration may be
set up to ignore it.
To check that Crypto Policies settings are configured correctly, ensure that
the CRYPTO_POLICY variable is either commented or not set at all
in the /etc/sysconfig/sshd. |
| Rationale | Overriding the system crypto policy makes the behavior of the SSH service violate expectations,
and makes system configuration more fragmented. |
OVAL test results detailsCheck that the SSH configuration mandates usage of system-wide crypto policies.
oval:ssg-test_configure_ssh_crypto_policy:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_configure_ssh_crypto_policy:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/sysconfig/sshd | ^\s*CRYPTO_POLICY\s*=.*$ | 1 |
The Installed Operating System Is Vendor Supportedxccdf_org.ssgproject.content_rule_installed_OS_is_vendor_supported highCCE-80947-5
The Installed Operating System Is Vendor Supported
| Rule ID | xccdf_org.ssgproject.content_rule_installed_OS_is_vendor_supported |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-installed_OS_is_vendor_supported:def:1 |
| Time | 2021-08-12T02:37:18+00:00 |
| Severity | high |
| Identifiers and References | Identifiers:
CCE-80947-5 References:
18, 20, 4, APO12.01, APO12.02, APO12.03, APO12.04, BAI03.10, DSS05.01, DSS05.02, CCI-000366, 4.2.3, 4.2.3.12, 4.2.3.7, 4.2.3.9, A.12.6.1, A.14.2.3, A.16.1.3, A.18.2.2, A.18.2.3, CM-6(a), MA-6, SA-13(a), ID.RA-1, PR.IP-12, SRG-OS-000480-GPOS-00227, RHEL-08-010000, SV-230221r599732_rule |
| Description | The installed operating system must be maintained by a vendor.
Red Hat Enterprise Linux is supported by Red Hat, Inc. As the Red Hat Enterprise
Linux vendor, Red Hat, Inc. is responsible for providing security patches. |
| Rationale | An operating system is considered "supported" if the vendor continues to
provide security patches for the product. With an unsupported release, it
will not be possible to resolve any security issue discovered in the system
software. |
| Warnings | warning
There is no remediation besides switching to a different operating system. |
OVAL test results detailsinstalled OS part of unix family
oval:ssg-test_rhel7_unix_family:tst:1
not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_unix_family:obj:1 of type
family_object
installed OS part of unix family
oval:ssg-test_rhel7_unix_family:tst:1
true
Following items have been found on the system:
redhat-release-client is version 7
oval:ssg-test_rhel7_client:tst:1
not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_client:obj:1 of type
rpminfo_object
| Name |
|---|
| redhat-release-client |
redhat-release-client is version 7
oval:ssg-test_rhel7_client:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_client:obj:1 of type
rpminfo_object
| Name |
|---|
| redhat-release-client |
redhat-release-workstation is version 7
oval:ssg-test_rhel7_workstation:tst:1
not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_workstation:obj:1 of type
rpminfo_object
| Name |
|---|
| redhat-release-workstation |
redhat-release-workstation is version 7
oval:ssg-test_rhel7_workstation:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_workstation:obj:1 of type
rpminfo_object
| Name |
|---|
| redhat-release-workstation |
redhat-release-server is version 7
oval:ssg-test_rhel7_server:tst:1
not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_server:obj:1 of type
rpminfo_object
| Name |
|---|
| redhat-release-server |
redhat-release-server is version 7
oval:ssg-test_rhel7_server:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_server:obj:1 of type
rpminfo_object
| Name |
|---|
| redhat-release-server |
redhat-release-computenode is version 7
oval:ssg-test_rhel7_computenode:tst:1
not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_computenode:obj:1 of type
rpminfo_object
| Name |
|---|
| redhat-release-computenode |
redhat-release-computenode is version 7
oval:ssg-test_rhel7_computenode:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_computenode:obj:1 of type
rpminfo_object
| Name |
|---|
| redhat-release-computenode |
redhat-release-virtualization-host RPM package is installed
oval:ssg-test_rhvh4_version:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhvh4_version:obj:1 of type
rpminfo_object
| Name |
|---|
| redhat-release-virtualization-host |
redhat-release-virtualization-host RPM package is installed
oval:ssg-test_rhvh4_version:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhvh4_version:obj:1 of type
rpminfo_object
| Name |
|---|
| redhat-release-virtualization-host |
RHEVH base RHEL is version 7
oval:ssg-test_rhevh_rhel7_version:tst:1
not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhevh_rhel7_version:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/redhat-release | ^Red Hat Enterprise Linux release (\d)\.\d+$ | 1 |
RHEVH base RHEL is version 7
oval:ssg-test_rhevh_rhel7_version:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhevh_rhel7_version:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/redhat-release | ^Red Hat Enterprise Linux release (\d)\.\d+$ | 1 |
installed OS part of unix family
oval:ssg-test_rhel7_unix_family:tst:1
not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_unix_family:obj:1 of type
family_object
installed OS part of unix family
oval:ssg-test_rhel7_unix_family:tst:1
true
Following items have been found on the system:
redhat-release-client is version 7
oval:ssg-test_rhel7_client:tst:1
not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_client:obj:1 of type
rpminfo_object
| Name |
|---|
| redhat-release-client |
redhat-release-client is version 7
oval:ssg-test_rhel7_client:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_client:obj:1 of type
rpminfo_object
| Name |
|---|
| redhat-release-client |
redhat-release-workstation is version 7
oval:ssg-test_rhel7_workstation:tst:1
not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_workstation:obj:1 of type
rpminfo_object
| Name |
|---|
| redhat-release-workstation |
redhat-release-workstation is version 7
oval:ssg-test_rhel7_workstation:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_workstation:obj:1 of type
rpminfo_object
| Name |
|---|
| redhat-release-workstation |
redhat-release-server is version 7
oval:ssg-test_rhel7_server:tst:1
not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_server:obj:1 of type
rpminfo_object
| Name |
|---|
| redhat-release-server |
redhat-release-server is version 7
oval:ssg-test_rhel7_server:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_server:obj:1 of type
rpminfo_object
| Name |
|---|
| redhat-release-server |
redhat-release-computenode is version 7
oval:ssg-test_rhel7_computenode:tst:1
not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_computenode:obj:1 of type
rpminfo_object
| Name |
|---|
| redhat-release-computenode |
redhat-release-computenode is version 7
oval:ssg-test_rhel7_computenode:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_computenode:obj:1 of type
rpminfo_object
| Name |
|---|
| redhat-release-computenode |
redhat-release-virtualization-host RPM package is installed
oval:ssg-test_rhvh4_version:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhvh4_version:obj:1 of type
rpminfo_object
| Name |
|---|
| redhat-release-virtualization-host |
redhat-release-virtualization-host RPM package is installed
oval:ssg-test_rhvh4_version:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhvh4_version:obj:1 of type
rpminfo_object
| Name |
|---|
| redhat-release-virtualization-host |
RHEVH base RHEL is version 7
oval:ssg-test_rhevh_rhel7_version:tst:1
not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhevh_rhel7_version:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/redhat-release | ^Red Hat Enterprise Linux release (\d)\.\d+$ | 1 |
RHEVH base RHEL is version 7
oval:ssg-test_rhevh_rhel7_version:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhevh_rhel7_version:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/redhat-release | ^Red Hat Enterprise Linux release (\d)\.\d+$ | 1 |
installed OS part of unix family
oval:ssg-test_rhel8_unix_family:tst:1
true
Following items have been found on the system:
installed OS part of unix family
oval:ssg-test_rhel8_unix_family:tst:1
true
Following items have been found on the system:
redhat-release is version 8
oval:ssg-test_rhel8:tst:1
true
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| redhat-release | x86_64 | (none) | 0.6.el8 | 8.4 | 0:8.4-0.6.el8 | 199e2f91fd431d51 | redhat-release-0:8.4-0.6.el8.x86_64 |
redhat-release is version 8
oval:ssg-test_rhel8:tst:1
true
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| redhat-release | x86_64 | (none) | 0.6.el8 | 8.4 | 0:8.4-0.6.el8 | 199e2f91fd431d51 | redhat-release-0:8.4-0.6.el8.x86_64 |
redhat-release-virtualization-host RPM package is installed
oval:ssg-test_rhvh4_version:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhvh4_version:obj:1 of type
rpminfo_object
| Name |
|---|
| redhat-release-virtualization-host |
redhat-release-virtualization-host RPM package is installed
oval:ssg-test_rhvh4_version:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhvh4_version:obj:1 of type
rpminfo_object
| Name |
|---|
| redhat-release-virtualization-host |
RHEVH base RHEL is version 8
oval:ssg-test_rhevh_rhel8_version:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhevh_rhel8_version:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/redhat-release | ^Red Hat Enterprise Linux release (\d)\.\d+$ | 1 |
RHEVH base RHEL is version 8
oval:ssg-test_rhevh_rhel8_version:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhevh_rhel8_version:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/redhat-release | ^Red Hat Enterprise Linux release (\d)\.\d+$ | 1 |
installed OS part of unix family
oval:ssg-test_rhel8_unix_family:tst:1
true
Following items have been found on the system:
installed OS part of unix family
oval:ssg-test_rhel8_unix_family:tst:1
true
Following items have been found on the system:
redhat-release is version 8
oval:ssg-test_rhel8:tst:1
true
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| redhat-release | x86_64 | (none) | 0.6.el8 | 8.4 | 0:8.4-0.6.el8 | 199e2f91fd431d51 | redhat-release-0:8.4-0.6.el8.x86_64 |
redhat-release is version 8
oval:ssg-test_rhel8:tst:1
true
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| redhat-release | x86_64 | (none) | 0.6.el8 | 8.4 | 0:8.4-0.6.el8 | 199e2f91fd431d51 | redhat-release-0:8.4-0.6.el8.x86_64 |
redhat-release-virtualization-host RPM package is installed
oval:ssg-test_rhvh4_version:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhvh4_version:obj:1 of type
rpminfo_object
| Name |
|---|
| redhat-release-virtualization-host |
redhat-release-virtualization-host RPM package is installed
oval:ssg-test_rhvh4_version:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhvh4_version:obj:1 of type
rpminfo_object
| Name |
|---|
| redhat-release-virtualization-host |
RHEVH base RHEL is version 8
oval:ssg-test_rhevh_rhel8_version:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhevh_rhel8_version:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/redhat-release | ^Red Hat Enterprise Linux release (\d)\.\d+$ | 1 |
RHEVH base RHEL is version 8
oval:ssg-test_rhevh_rhel8_version:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhevh_rhel8_version:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/redhat-release | ^Red Hat Enterprise Linux release (\d)\.\d+$ | 1 |
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type
family_object
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true
Following items have been found on the system:
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type
family_object
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true
Following items have been found on the system:
oraclelinux-release is version 7
oval:ssg-test_ol7_system:tst:1
not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_ol7_system:obj:1 of type
rpminfo_object
oraclelinux-release is version 7
oval:ssg-test_ol7_system:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_ol7_system:obj:1 of type
rpminfo_object
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type
family_object
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true
Following items have been found on the system:
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type
family_object
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true
Following items have been found on the system:
oraclelinux-release is version 7
oval:ssg-test_ol7_system:tst:1
not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_ol7_system:obj:1 of type
rpminfo_object
oraclelinux-release is version 7
oval:ssg-test_ol7_system:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_ol7_system:obj:1 of type
rpminfo_object
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type
family_object
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true
Following items have been found on the system:
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type
family_object
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true
Following items have been found on the system:
oraclelinux-release is version 8
oval:ssg-test_ol8_system:tst:1
not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_ol8_system:obj:1 of type
rpminfo_object
oraclelinux-release is version 8
oval:ssg-test_ol8_system:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_ol8_system:obj:1 of type
rpminfo_object
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type
family_object
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true
Following items have been found on the system:
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type
family_object
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true
Following items have been found on the system:
oraclelinux-release is version 8
oval:ssg-test_ol8_system:tst:1
not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_ol8_system:obj:1 of type
rpminfo_object
oraclelinux-release is version 8
oval:ssg-test_ol8_system:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_ol8_system:obj:1 of type
rpminfo_object
installed OS part of unix family
oval:ssg-test_sle12_unix_family:tst:1
not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_sle12_unix_family:obj:1 of type
family_object
installed OS part of unix family
oval:ssg-test_sle12_unix_family:tst:1
true
Following items have been found on the system:
sled-release is version 6
oval:ssg-test_sle12_desktop:tst:1
not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_sle12_desktop:obj:1 of type
rpminfo_object
sled-release is version 6
oval:ssg-test_sle12_desktop:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_sle12_desktop:obj:1 of type
rpminfo_object
sles-release is version 6
oval:ssg-test_sle12_server:tst:1
not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_sle12_server:obj:1 of type
rpminfo_object
sles-release is version 6
oval:ssg-test_sle12_server:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_sle12_server:obj:1 of type
rpminfo_object
installed OS part of unix family
oval:ssg-test_sle12_unix_family:tst:1
not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_sle12_unix_family:obj:1 of type
family_object
installed OS part of unix family
oval:ssg-test_sle12_unix_family:tst:1
true
Following items have been found on the system:
sled-release is version 6
oval:ssg-test_sle12_desktop:tst:1
not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_sle12_desktop:obj:1 of type
rpminfo_object
sled-release is version 6
oval:ssg-test_sle12_desktop:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_sle12_desktop:obj:1 of type
rpminfo_object
sles-release is version 6
oval:ssg-test_sle12_server:tst:1
not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_sle12_server:obj:1 of type
rpminfo_object
sles-release is version 6
oval:ssg-test_sle12_server:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_sle12_server:obj:1 of type
rpminfo_object
installed OS part of unix family
oval:ssg-test_sle15_unix_family:tst:1
not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_sle15_unix_family:obj:1 of type
family_object
installed OS part of unix family
oval:ssg-test_sle15_unix_family:tst:1
true
Following items have been found on the system:
sled-release is version 15
oval:ssg-test_sle15_desktop:tst:1
not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_sle15_desktop:obj:1 of type
rpminfo_object
sled-release is version 15
oval:ssg-test_sle15_desktop:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_sle15_desktop:obj:1 of type
rpminfo_object
sles-release is version 15
oval:ssg-test_sle15_server:tst:1
not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_sle15_server:obj:1 of type
rpminfo_object
sles-release is version 15
oval:ssg-test_sle15_server:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_sle15_server:obj:1 of type
rpminfo_object
installed OS part of unix family
oval:ssg-test_sle15_unix_family:tst:1
not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_sle15_unix_family:obj:1 of type
family_object
installed OS part of unix family
oval:ssg-test_sle15_unix_family:tst:1
true
Following items have been found on the system:
sled-release is version 15
oval:ssg-test_sle15_desktop:tst:1
not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_sle15_desktop:obj:1 of type
rpminfo_object
sled-release is version 15
oval:ssg-test_sle15_desktop:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_sle15_desktop:obj:1 of type
rpminfo_object
sles-release is version 15
oval:ssg-test_sle15_server:tst:1
not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_sle15_server:obj:1 of type
rpminfo_object
sles-release is version 15
oval:ssg-test_sle15_server:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_sle15_server:obj:1 of type
rpminfo_object
Ensure Software Patches Installedxccdf_org.ssgproject.content_rule_security_patches_up_to_date highCCE-80865-9
Ensure Software Patches Installed
| Rule ID | xccdf_org.ssgproject.content_rule_security_patches_up_to_date |
| Result | |
| Multi-check rule | yes |
| OVAL Definition ID | |
| Time | 2021-08-12T02:37:18+00:00 |
| Severity | high |
| Identifiers and References | Identifiers:
CCE-80865-9 References:
BP28(R08), 1.9, 18, 20, 4, 5.10.4.1, APO12.01, APO12.02, APO12.03, APO12.04, BAI03.10, DSS05.01, DSS05.02, CCI-000366, 4.2.3, 4.2.3.12, 4.2.3.7, 4.2.3.9, A.12.6.1, A.14.2.3, A.16.1.3, A.18.2.2, A.18.2.3, SI-2(5), SI-2(c), CM-6(a), ID.RA-1, PR.IP-12, FMT_MOF_EXT.1, Req-6.2, SRG-OS-000480-GPOS-00227, RHEL-08-010010, SV-230222r599732_rule, SRG-OS-000480-VMM-002000 |
| Description |
If the system is joined to the Red Hat Network, a Red Hat Satellite Server,
or a yum server, run the following command to install updates:
$ sudo yum update
If the system is not configured to use one of these sources, updates (in the form of RPM packages)
can be manually downloaded from the Red Hat Network and installed using rpm.
NOTE: U.S. Defense systems are required to be patched within 30 days or sooner as local policy
dictates. |
| Rationale | Installing software updates is a fundamental mitigation against
the exploitation of publicly-known vulnerabilities. If the most
recent security patches and updates are not installed, unauthorized
users may take advantage of weaknesses in the unpatched software. The
lack of prompt attention to patching could result in a system compromise. |
Evaluation messagesinfo
None of the check-content-ref elements was resolvable. |
Ensure gpgcheck Enabled for Local Packagesxccdf_org.ssgproject.content_rule_ensure_gpgcheck_local_packages highCCE-80791-7
Ensure gpgcheck Enabled for Local Packages
| Rule ID | xccdf_org.ssgproject.content_rule_ensure_gpgcheck_local_packages |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-ensure_gpgcheck_local_packages:def:1 |
| Time | 2021-08-12T02:37:18+00:00 |
| Severity | high |
| Identifiers and References | Identifiers:
CCE-80791-7 References:
BP28(R15), 11, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, CM-11(a), CM-11(b), CM-6(a), CM-5(3), SA-12, SA-12(10), PR.IP-1, FPT_TUD_EXT.1, FPT_TUD_EXT.2, SRG-OS-000366-GPOS-00153, RHEL-08-010371, SV-230265r599732_rule, SRG-OS-000366-VMM-001430, SRG-OS-000370-VMM-001460, SRG-OS-000404-VMM-001650 |
| Description | yum should be configured to verify the signature(s) of local packages
prior to installation. To configure yum to verify signatures of local
packages, set the localpkg_gpgcheck to 1 in /etc/yum.conf.
|
| Rationale | Changes to any software components can have significant effects to the overall security
of the operating system. This requirement ensures the software has not been tampered and
has been provided by a trusted vendor.
Accordingly, patches, service packs, device drivers, or operating system components must
be signed with a certificate recognized and approved by the organization. |
OVAL test results detailscheck value of localpkg_gpgcheck in /etc/yum.conf
oval:ssg-test_yum_ensure_gpgcheck_local_packages:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/yum.conf | localpkg_gpgcheck=True
|
Ensure yum Removes Previous Package Versionsxccdf_org.ssgproject.content_rule_clean_components_post_updating lowCCE-82476-3
Ensure yum Removes Previous Package Versions
| Rule ID | xccdf_org.ssgproject.content_rule_clean_components_post_updating |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-clean_components_post_updating:def:1 |
| Time | 2021-08-12T02:37:18+00:00 |
| Severity | low |
| Identifiers and References | Identifiers:
CCE-82476-3 References:
18, 20, 4, APO12.01, APO12.02, APO12.03, APO12.04, BAI03.10, DSS05.01, DSS05.02, 3.4.8, CCI-002617, 4.2.3, 4.2.3.12, 4.2.3.7, 4.2.3.9, A.12.6.1, A.14.2.3, A.16.1.3, A.18.2.2, A.18.2.3, SI-2(6), CM-11(a), CM-11(b), CM-6(a), ID.RA-1, PR.IP-12, SRG-OS-000437-GPOS-00194, RHEL-08-010440, SV-230281r599732_rule, SRG-OS-000437-VMM-001760 |
| Description | yum should be configured to remove previous software components after
new versions have been installed. To configure yum to remove the
previous software components after updating, set the clean_requirements_on_remove
to 1 in /etc/yum.conf.
|
| Rationale | Previous versions of software components that are not removed from the information
system after updates have been installed may be exploited by some adversaries. |
OVAL test results detailscheck value of clean_requirements_on_remove in /etc/yum.conf
oval:ssg-test_yum_clean_components_post_updating:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/yum.conf | clean_requirements_on_remove=True |
Ensure gpgcheck Enabled In Main yum Configurationxccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated highCCE-80790-9
Ensure gpgcheck Enabled In Main yum Configuration
| Rule ID | xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-ensure_gpgcheck_globally_activated:def:1 |
| Time | 2021-08-12T02:37:18+00:00 |
| Severity | high |
| Identifiers and References | Identifiers:
CCE-80790-9 References:
BP28(R15), 1.2.4, 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-5(3), SI-7, SC-12, SC-12(3), CM-6(a), SA-12, SA-12(10), CM-11(a), CM-11(b), PR.DS-6, PR.DS-8, PR.IP-1, FPT_TUD_EXT.1, FPT_TUD_EXT.2, Req-6.2, SRG-OS-000366-GPOS-00153, RHEL-08-010370, SV-230264r599732_rule, SRG-OS-000366-VMM-001430, SRG-OS-000370-VMM-001460, SRG-OS-000404-VMM-001650 |
| Description | The gpgcheck option controls whether
RPM packages' signatures are always checked prior to installation.
To configure yum to check package signatures before installing
them, ensure the following line appears in /etc/yum.conf in
the [main] section:
gpgcheck=1 |
| Rationale | Changes to any software components can have significant effects on the
overall security of the operating system. This requirement ensures the
software has not been tampered with and that it has been provided by a
trusted vendor.
Accordingly, patches, service packs, device drivers, or operating system
components must be signed with a certificate recognized and approved by the
organization.
Verifying the authenticity of the software prior to installation
validates the integrity of the patch or upgrade received from a vendor.
This ensures the software has not been tampered with and that it has been
provided by a trusted vendor. Self-signed certificates are disallowed by
this requirement. Certificates used to verify the software must be from an
approved Certificate Authority (CA). |
OVAL test results detailscheck value of gpgcheck in /etc/yum.conf
oval:ssg-test_ensure_gpgcheck_globally_activated:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/yum.conf | gpgcheck=1 |
Enable GNOME3 Screensaver Lock After Idle Periodxccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_enabled mediumCCE-80777-6
Enable GNOME3 Screensaver Lock After Idle Period
| Rule ID | xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_enabled |
| Result | |
| Multi-check rule | no |
| Time | 2021-08-12T02:37:18+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-80777-6 References:
1, 12, 15, 16, 5.5.5, DSS05.04, DSS05.10, DSS06.10, 3.1.10, CCI-000056, CCI-000058, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, CM-6(a), PR.AC-7, FMT_MOF_EXT.1, Req-8.1.8, SRG-OS-000028-GPOS-00009, SRG-OS-000030-GPOS-00011, RHEL-08-020030, SV-230347r599732_rule |
| Description | To activate locking of the screensaver in the GNOME3 desktop when it is activated,
add or set lock-enabled to true in
/etc/dconf/db/local.d/00-security-settings. For example:
[org/gnome/desktop/screensaver]
lock-enabled=true
Once the settings have been added, add a lock to
/etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
For example:
/org/gnome/desktop/screensaver/lock-enabled
After the settings have been set, run dconf update. |
| Rationale | A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity
of the information system but does not want to logout because of the temporary nature of the absense. |
Set GNOME3 Screensaver Inactivity Timeoutxccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_delay mediumCCE-80775-0
Set GNOME3 Screensaver Inactivity Timeout
| Rule ID | xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_delay |
| Result | |
| Multi-check rule | no |
| Time | 2021-08-12T02:37:18+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-80775-0 References:
1, 12, 15, 16, 5.5.5, DSS05.04, DSS05.10, DSS06.10, 3.1.10, CCI-000057, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, AC-11(a), CM-6(a), PR.AC-7, FMT_MOF_EXT.1, Req-8.1.8, SRG-OS-000029-GPOS-00010, RHEL-08-020060, SV-230352r599732_rule |
| Description | The idle time-out value for inactivity in the GNOME3 desktop is configured via the idle-delay
setting must be set under an appropriate configuration file(s) in the /etc/dconf/db/local.d directory
and locked in /etc/dconf/db/local.d/locks directory to prevent user modification.
For example, to configure the system for a 15 minute delay, add the following to
/etc/dconf/db/local.d/00-security-settings:
[org/gnome/desktop/session]
idle-delay=uint32 900
Once the setting has been added, add a lock to
/etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
For example:
/org/gnome/desktop/session/idle-delay
After the settings have been set, run dconf update. |
| Rationale | A session time-out lock is a temporary action taken when a user stops work and moves away from
the immediate physical vicinity of the information system but does not logout because of the
temporary nature of the absence. Rather than relying on the user to manually lock their operating
system session prior to vacating the vicinity, GNOME3 can be configured to identify when
a user's session has idled and take action to initiate a session lock. |
Disable GDM Automatic Loginxccdf_org.ssgproject.content_rule_gnome_gdm_disable_automatic_login highCCE-80823-8
Disable GDM Automatic Login
| Rule ID | xccdf_org.ssgproject.content_rule_gnome_gdm_disable_automatic_login |
| Result | |
| Multi-check rule | no |
| Time | 2021-08-12T02:37:18+00:00 |
| Severity | high |
| Identifiers and References | Identifiers:
CCE-80823-8 References:
11, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, 3.1.1, CCI-000366, 4.3.4.3.2, 4.3.4.3.3, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(a), AC-6(1), CM-7(b), PR.IP-1, FIA_UAU.1, SRG-OS-000480-GPOS-00229, RHEL-08-010820, SV-230329r599732_rule |
| Description | The GNOME Display Manager (GDM) can allow users to automatically login without
user interaction or credentials. User should always be required to authenticate themselves
to the system that they are authorized to use. To disable user ability to automatically
login to the system, set the AutomaticLoginEnable to false in the
[daemon] section in /etc/gdm/custom.conf. For example:
[daemon]
AutomaticLoginEnable=false |
| Rationale | Failure to restrict system access to authenticated users negatively impacts operating
system security. |
Disable Ctrl-Alt-Del Reboot Key Sequence in GNOME3xccdf_org.ssgproject.content_rule_dconf_gnome_disable_ctrlaltdel_reboot highCCE-84028-0
Disable Ctrl-Alt-Del Reboot Key Sequence in GNOME3
| Rule ID | xccdf_org.ssgproject.content_rule_dconf_gnome_disable_ctrlaltdel_reboot |
| Result | |
| Multi-check rule | no |
| Time | 2021-08-12T02:37:18+00:00 |
| Severity | high |
| Identifiers and References | Identifiers:
CCE-84028-0 References:
12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 3.1.2, CCI-000366, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), CM-7(b), PR.AC-4, PR.DS-5, SRG-OS-000480-GPOS-00227, RHEL-08-040171, SV-230530r599732_rule |
| Description | By default, GNOME will reboot the system if the
Ctrl-Alt-Del key sequence is pressed.
To configure the system to ignore the Ctrl-Alt-Del key sequence
from the Graphical User Interface (GUI) instead of rebooting the system,
add or set logout to '' in
/etc/dconf/db/local.d/00-security-settings. For example:
[org/gnome/settings-daemon/plugins/media-keys]
logout=''
Once the settings have been added, add a lock to
/etc/dconf/db/local.d/locks/00-security-settings-lock to prevent
user modification. For example:
/org/gnome/settings-daemon/plugins/media-keys/logout
After the settings have been set, run dconf update. |
| Rationale | A locally logged-in user who presses Ctrl-Alt-Del, when at the console,
can reboot the system. If accidentally pressed, as could happen in
the case of mixed OS environment, this can create the risk of short-term
loss of availability of systems due to unintentional reboot. |
Install rng-tools Packagexccdf_org.ssgproject.content_rule_package_rng-tools_installed mediumCCE-82968-9
Install rng-tools Package
| Rule ID | xccdf_org.ssgproject.content_rule_package_rng-tools_installed |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-package_rng-tools_installed:def:1 |
| Time | 2021-08-12T02:37:18+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-82968-9 References:
SRG-OS-000480-GPOS-00227 |
| Description | The rng-tools package can be installed with the following command:
$ sudo yum install rng-tools |
| Rationale | rng-tools provides hardware random number generator tools,
such as those used in the formation of x509/PKI certificates.
|
OVAL test results detailspackage rng-tools is installed
oval:ssg-test_package_rng-tools_installed:tst:1
true
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| rng-tools | x86_64 | (none) | 3.el8 | 6.8 | 0:6.8-3.el8 | 199e2f91fd431d51 | rng-tools-0:6.8-3.el8.x86_64 |
Uninstall abrt-addon-ccpp Packagexccdf_org.ssgproject.content_rule_package_abrt-addon-ccpp_removed lowCCE-82919-2
Uninstall abrt-addon-ccpp Package
| Rule ID | xccdf_org.ssgproject.content_rule_package_abrt-addon-ccpp_removed |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-package_abrt-addon-ccpp_removed:def:1 |
| Time | 2021-08-12T02:37:18+00:00 |
| Severity | low |
| Identifiers and References | Identifiers:
CCE-82919-2 References:
SRG-OS-000095-GPOS-00049 |
| Description | The abrt-addon-ccpp package can be removed with the following command:
$ sudo yum erase abrt-addon-ccpp |
| Rationale | abrt-addon-ccpp contains hooks for C/C++ crashed programs and abrt's
C/C++ analyzer plugin.
|
OVAL test results detailspackage abrt-addon-ccpp is removed
oval:ssg-test_package_abrt-addon-ccpp_removed:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_abrt-addon-ccpp_removed:obj:1 of type
rpminfo_object
Uninstall abrt-addon-kerneloops Packagexccdf_org.ssgproject.content_rule_package_abrt-addon-kerneloops_removed lowCCE-82926-7
Uninstall abrt-addon-kerneloops Package
| Rule ID | xccdf_org.ssgproject.content_rule_package_abrt-addon-kerneloops_removed |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-package_abrt-addon-kerneloops_removed:def:1 |
| Time | 2021-08-12T02:37:18+00:00 |
| Severity | low |
| Identifiers and References | Identifiers:
CCE-82926-7 References:
SRG-OS-000095-GPOS-00049 |
| Description | The abrt-addon-kerneloops package can be removed with the following command:
$ sudo yum erase abrt-addon-kerneloops |
| Rationale | abrt-addon-kerneloops contains plugins for collecting kernel crash information and
reporter plugin which sends this information to a specified server, usually to kerneloops.org.
|
OVAL test results detailspackage abrt-addon-kerneloops is removed
oval:ssg-test_package_abrt-addon-kerneloops_removed:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_abrt-addon-kerneloops_removed:obj:1 of type
rpminfo_object
| Name |
|---|
| abrt-addon-kerneloops |
Uninstall abrt-addon-python Packagexccdf_org.ssgproject.content_rule_package_abrt-addon-python_removed lowCCE-82923-4
Uninstall abrt-addon-python Package
| Rule ID | xccdf_org.ssgproject.content_rule_package_abrt-addon-python_removed |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-package_abrt-addon-python_removed:def:1 |
| Time | 2021-08-12T02:37:18+00:00 |
| Severity | low |
| Identifiers and References | Identifiers:
CCE-82923-4 References:
SRG-OS-000095-GPOS-00049 |
| Description | The abrt-addon-python package can be removed with the following command:
$ sudo yum erase abrt-addon-python |
| Rationale | abrt-addon-python contains python hook and python analyzer
plugin for handling uncaught exceptions in python programs.
|
OVAL test results detailspackage abrt-addon-python is removed
oval:ssg-test_package_abrt-addon-python_removed:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_abrt-addon-python_removed:obj:1 of type
rpminfo_object
Uninstall abrt-cli Packagexccdf_org.ssgproject.content_rule_package_abrt-cli_removed lowCCE-82907-7
Uninstall abrt-cli Package
| Rule ID | xccdf_org.ssgproject.content_rule_package_abrt-cli_removed |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-package_abrt-cli_removed:def:1 |
| Time | 2021-08-12T02:37:18+00:00 |
| Severity | low |
| Identifiers and References | Identifiers:
CCE-82907-7 References:
SRG-OS-000095-GPOS-00049 |
| Description | The abrt-cli package can be removed with the following command:
$ sudo yum erase abrt-cli |
| Rationale | abrt-cli contains a command line client for controlling abrt daemon
over sockets.
|
OVAL test results detailspackage abrt-cli is removed
oval:ssg-test_package_abrt-cli_removed:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_abrt-cli_removed:obj:1 of type
rpminfo_object
Uninstall abrt-plugin-logger Packagexccdf_org.ssgproject.content_rule_package_abrt-plugin-logger_removed lowCCE-82913-5
Uninstall abrt-plugin-logger Package
| Rule ID | xccdf_org.ssgproject.content_rule_package_abrt-plugin-logger_removed |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-package_abrt-plugin-logger_removed:def:1 |
| Time | 2021-08-12T02:37:18+00:00 |
| Severity | low |
| Identifiers and References | Identifiers:
CCE-82913-5 References:
SRG-OS-000095-GPOS-00049 |
| Description | The abrt-plugin-logger package can be removed with the following command:
$ sudo yum erase abrt-plugin-logger |
| Rationale | abrt-plugin-logger is an ABRT plugin which writes a report
to a specified file.
|
OVAL test results detailspackage abrt-plugin-logger is removed
oval:ssg-test_package_abrt-plugin-logger_removed:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_abrt-plugin-logger_removed:obj:1 of type
rpminfo_object
Uninstall abrt-plugin-rhtsupport Packagexccdf_org.ssgproject.content_rule_package_abrt-plugin-rhtsupport_removed lowCCE-82916-8
Uninstall abrt-plugin-rhtsupport Package
| Rule ID | xccdf_org.ssgproject.content_rule_package_abrt-plugin-rhtsupport_removed |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-package_abrt-plugin-rhtsupport_removed:def:1 |
| Time | 2021-08-12T02:37:18+00:00 |
| Severity | low |
| Identifiers and References | Identifiers:
CCE-82916-8 References:
SRG-OS-000095-GPOS-00049 |
| Description | The abrt-plugin-rhtsupport package can be removed with the following command:
$ sudo yum erase abrt-plugin-rhtsupport |
| Rationale | abrt-plugin-rhtsupport is a ABRT plugin to report bugs into the
Red Hat Support system.
|
OVAL test results detailspackage abrt-plugin-rhtsupport is removed
oval:ssg-test_package_abrt-plugin-rhtsupport_removed:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_abrt-plugin-rhtsupport_removed:obj:1 of type
rpminfo_object
| Name |
|---|
| abrt-plugin-rhtsupport |
Uninstall abrt-plugin-sosreport Packagexccdf_org.ssgproject.content_rule_package_abrt-plugin-sosreport_removed lowCCE-82910-1
Uninstall abrt-plugin-sosreport Package
| Rule ID | xccdf_org.ssgproject.content_rule_package_abrt-plugin-sosreport_removed |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-package_abrt-plugin-sosreport_removed:def:1 |
| Time | 2021-08-12T02:37:18+00:00 |
| Severity | low |
| Identifiers and References | Identifiers:
CCE-82910-1 References:
SRG-OS-000095-GPOS-00049 |
| Description | The abrt-plugin-sosreport package can be removed with the following command:
$ sudo yum erase abrt-plugin-sosreport |
| Rationale | abrt-plugin-sosreport provides a plugin to include an sosreport in an ABRT report.
|
OVAL test results detailspackage abrt-plugin-sosreport is removed
oval:ssg-test_package_abrt-plugin-sosreport_removed:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_abrt-plugin-sosreport_removed:obj:1 of type
rpminfo_object
| Name |
|---|
| abrt-plugin-sosreport |
Uninstall iprutils Packagexccdf_org.ssgproject.content_rule_package_iprutils_removed lowCCE-82946-5
Uninstall iprutils Package
| Rule ID | xccdf_org.ssgproject.content_rule_package_iprutils_removed |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-package_iprutils_removed:def:1 |
| Time | 2021-08-12T02:37:18+00:00 |
| Severity | low |
| Identifiers and References | Identifiers:
CCE-82946-5 References:
SRG-OS-000095-GPOS-00049, RHEL-08-040380, SV-230560r599732_rule |
| Description | The iprutils package can be removed with the following command:
$ sudo yum erase iprutils |
| Rationale | iprutils provides a suite of utlilities to manage and configure SCSI devices
supported by the ipr SCSI storage device driver.
|
OVAL test results detailspackage iprutils is removed
oval:ssg-test_package_iprutils_removed:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_iprutils_removed:obj:1 of type
rpminfo_object
Uninstall krb5-workstation Packagexccdf_org.ssgproject.content_rule_package_krb5-workstation_removed mediumCCE-82931-7
Uninstall krb5-workstation Package
| Rule ID | xccdf_org.ssgproject.content_rule_package_krb5-workstation_removed |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-package_krb5-workstation_removed:def:1 |
| Time | 2021-08-12T02:37:18+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-82931-7 References:
SRG-OS-000095-GPOS-00049, SRG-OS-000120-GPOS-00061, RHEL-08-010162, SV-230239r599732_rule |
| Description | The krb5-workstation package can be removed with the following command:
$ sudo yum erase krb5-workstation |
| Rationale | Kerberos is a network authentication system. The krb5-workstation package contains the basic
Kerberos programs (kinit, klist, kdestroy, kpasswd).
Currently, Kerberos does not utilize FIPS 140-2 cryptography and is not permitted on Government networks,
nor is it permitted in many regulatory environments such as HIPAA. |
OVAL test results detailspackage krb5-workstation is removed
oval:ssg-test_package_krb5-workstation_removed:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_krb5-workstation_removed:obj:1 of type
rpminfo_object
Uninstall tuned Packagexccdf_org.ssgproject.content_rule_package_tuned_removed lowCCE-82904-4
Uninstall tuned Package
| Rule ID | xccdf_org.ssgproject.content_rule_package_tuned_removed |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-package_tuned_removed:def:1 |
| Time | 2021-08-12T02:37:18+00:00 |
| Severity | low |
| Identifiers and References | Identifiers:
CCE-82904-4 References:
SRG-OS-000095-GPOS-00049, RHEL-08-040390, SV-230561r599732_rule |
| Description | The tuned package can be removed with the following command:
$ sudo yum erase tuned |
| Rationale | tuned contains a daemon that tunes the system settings dynamically.
It does so by monitoring the usage of several system components periodically. Based
on that information, components will then be put into lower or higher power savings
modes to adapt to the current usage.
|
OVAL test results detailspackage tuned is removed
oval:ssg-test_package_tuned_removed:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_tuned_removed:obj:1 of type
rpminfo_object
Ensure /tmp Located On Separate Partitionxccdf_org.ssgproject.content_rule_partition_for_tmp lowCCE-80851-9
Ensure /tmp Located On Separate Partition
| Rule ID | xccdf_org.ssgproject.content_rule_partition_for_tmp |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-partition_for_tmp:def:1 |
| Time | 2021-08-12T02:37:18+00:00 |
| Severity | low |
| Identifiers and References | Identifiers:
CCE-80851-9 References:
BP28(R12), 1.1.2, 12, 15, 8, APO13.01, DSS05.02, CCI-000366, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.13.1.1, A.13.2.1, A.14.1.3, CM-6(a), SC-5(2), PR.PT-4, SRG-OS-000480-GPOS-00227, RHEL-08-010543, SV-230295r599732_rule |
| Description | The /tmp directory is a world-writable directory used
for temporary file storage. Ensure it has its own partition or
logical volume at installation time, or migrate it using LVM. |
| Rationale | The /tmp partition is used as temporary storage by many programs.
Placing /tmp in its own partition enables the setting of more
restrictive mount options, which can help protect programs which use it. |
OVAL test results details/tmp on own partition
oval:ssg-testtmp_partition:tst:1
true
Following items have been found on the system:
| Mount point | Device | Uuid | Fs type | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Total space | Space used | Space left |
|---|
| /tmp | /dev/mapper/vg0-lv_tmp | ea351f84-45dc-4eb1-bc4f-9c11f6799657 | xfs | rw | seclabel | nosuid | nodev | noexec | noatime | attr2 | inode64 | logbufs=8 | logbsize=32k | noquota | 783872 | 13750 | 770122 |
Ensure /var/log/audit Located On Separate Partitionxccdf_org.ssgproject.content_rule_partition_for_var_log_audit lowCCE-80854-3
Ensure /var/log/audit Located On Separate Partition
| Rule ID | xccdf_org.ssgproject.content_rule_partition_for_var_log_audit |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-partition_for_var_log_audit:def:1 |
| Time | 2021-08-12T02:37:18+00:00 |
| Severity | low |
| Identifiers and References | Identifiers:
CCE-80854-3 References:
1.1.12, 1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 8, APO11.04, APO13.01, BAI03.05, BAI04.04, DSS05.02, DSS05.04, DSS05.07, MEA02.01, CCI-000366, CCI-001849, 164.312(a)(2)(ii), 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.2, SR 7.6, A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.17.2.1, CM-6(a), AU-4, SC-5(2), PR.DS-4, PR.PT-1, PR.PT-4, SRG-OS-000341-GPOS-00132, SRG-OS-000480-GPOS-00227, RHEL-08-010542, SV-230294r599732_rule, SRG-OS-000341-VMM-001220 |
| Description | Audit logs are stored in the /var/log/audit directory. Ensure that it
has its own partition or logical volume at installation time, or migrate it
later using LVM. Make absolutely certain that it is large enough to store all
audit logs that will be created by the auditing daemon. |
| Rationale | Placing /var/log/audit in its own partition
enables better separation between audit files
and other files, and helps ensure that
auditing cannot be halted due to the partition running out
of space. |
OVAL test results details/var/log/audit on own partition
oval:ssg-testvar_log_audit_partition:tst:1
true
Following items have been found on the system:
| Mount point | Device | Uuid | Fs type | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Total space | Space used | Space left |
|---|
| /var/log/audit | /dev/mapper/vg0-lv_var_audit | e8ba62ce-fa8b-4c33-9be5-32c10a024675 | xfs | rw | seclabel | nosuid | nodev | noexec | noatime | attr2 | inode64 | logbufs=8 | logbsize=32k | noquota | 2094592 | 100566 | 1994026 |
Ensure /home Located On Separate Partitionxccdf_org.ssgproject.content_rule_partition_for_home lowCCE-81044-0
Ensure /home Located On Separate Partition
| Rule ID | xccdf_org.ssgproject.content_rule_partition_for_home |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-partition_for_home:def:1 |
| Time | 2021-08-12T02:37:18+00:00 |
| Severity | low |
| Identifiers and References | Identifiers:
CCE-81044-0 References:
BP28(R12), 1.1.13, 12, 15, 8, APO13.01, DSS05.02, CCI-000366, CCI-001208, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.13.1.1, A.13.2.1, A.14.1.3, CM-6(a), SC-5(2), PR.PT-4, SRG-OS-000480-GPOS-00227, RHEL-08-010800, SV-230328r599732_rule |
| Description | If user home directories will be stored locally, create a separate partition
for /home at installation time (or migrate it later using LVM). If
/home will be mounted from another system such as an NFS server, then
creating a separate partition is not necessary at installation time, and the
mountpoint can instead be configured later. |
| Rationale | Ensuring that /home is mounted on its own partition enables the
setting of more restrictive mount options, and also helps ensure that
users cannot trivially fill partitions used for log or audit data storage. |
OVAL test results details/home on own partition
oval:ssg-testhome_partition:tst:1
true
Following items have been found on the system:
| Mount point | Device | Uuid | Fs type | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Total space | Space used | Space left |
|---|
| /home | /dev/mapper/vg0-lv_home | 809086ff-8cc9-40eb-8916-a1bf5c5727c8 | xfs | rw | seclabel | nosuid | nodev | noatime | attr2 | inode64 | logbufs=8 | logbsize=32k | noquota | 1046016 | 15571 | 1030445 |
Ensure /var/log Located On Separate Partitionxccdf_org.ssgproject.content_rule_partition_for_var_log mediumCCE-80853-5
Ensure /var/log Located On Separate Partition
| Rule ID | xccdf_org.ssgproject.content_rule_partition_for_var_log |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-partition_for_var_log:def:1 |
| Time | 2021-08-12T02:37:18+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-80853-5 References:
BP28(R12), BP28(R47), 1.1.11, 1, 12, 14, 15, 16, 3, 5, 6, 8, APO11.04, APO13.01, BAI03.05, DSS05.02, DSS05.04, DSS05.07, MEA02.01, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, CM-6(a), AU-4, SC-5(2), PR.PT-1, PR.PT-4, SRG-OS-000480-GPOS-00227, RHEL-08-010541, SV-230293r599732_rule |
| Description | System logs are stored in the /var/log directory.
Ensure that it has its own partition or logical
volume at installation time, or migrate it using LVM. |
| Rationale | Placing /var/log in its own partition
enables better separation between log files
and other files in /var/. |
OVAL test results details/var/log on own partition
oval:ssg-testvar_log_partition:tst:1
true
Following items have been found on the system:
| Mount point | Device | Uuid | Fs type | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Total space | Space used | Space left |
|---|
| /var/log | /dev/mapper/vg0-lv_var_log | 7769ec2e-40c5-4967-bffd-cc04c3af94be | xfs | rw | seclabel | nosuid | nodev | noexec | noatime | attr2 | inode64 | logbufs=8 | logbsize=32k | noquota | 2094592 | 25083 | 2069509 |
Ensure /var Located On Separate Partitionxccdf_org.ssgproject.content_rule_partition_for_var lowCCE-80852-7
Ensure /var Located On Separate Partition
| Rule ID | xccdf_org.ssgproject.content_rule_partition_for_var |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-partition_for_var:def:1 |
| Time | 2021-08-12T02:37:18+00:00 |
| Severity | low |
| Identifiers and References | Identifiers:
CCE-80852-7 References:
BP28(R12), 1.1.6, 12, 15, 8, APO13.01, DSS05.02, CCI-000366, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.13.1.1, A.13.2.1, A.14.1.3, CM-6(a), SC-5(2), PR.PT-4, SRG-OS-000480-GPOS-00227, RHEL-08-010540, SV-230292r599732_rule, SRG-OS-000341-VMM-001220 |
| Description | The /var directory is used by daemons and other system
services to store frequently-changing data. Ensure that /var has its own partition
or logical volume at installation time, or migrate it using LVM. |
| Rationale | Ensuring that /var is mounted on its own partition enables the
setting of more restrictive mount options. This helps protect
system services such as daemons or other programs which use it.
It is not uncommon for the /var directory to contain
world-writable directories installed by other software packages. |
OVAL test results details/var on own partition
oval:ssg-testvar_partition:tst:1
true
Following items have been found on the system:
| Mount point | Device | Uuid | Fs type | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Total space | Space used | Space left |
|---|
| /var | /dev/mapper/vg0-lv_var | 17c05e7e-3ab1-4663-be9b-4a6bb9a3adad | xfs | rw | seclabel | nosuid | nodev | noatime | attr2 | inode64 | logbufs=8 | logbsize=32k | noquota | 1046016 | 141654 | 904362 |
Encrypt Partitionsxccdf_org.ssgproject.content_rule_encrypt_partitions highCCE-80789-1
Encrypt Partitions
| Rule ID | xccdf_org.ssgproject.content_rule_encrypt_partitions |
| Result | |
| Multi-check rule | no |
| Time | 2021-08-12T02:37:18+00:00 |
| Severity | high |
| Identifiers and References | Identifiers:
CCE-80789-1 References:
13, 14, APO01.06, BAI02.01, BAI06.01, DSS04.07, DSS05.03, DSS05.04, DSS05.07, DSS06.02, DSS06.06, 3.13.16, CCI-001199, CCI-002475, CCI-002476, 164.308(a)(1)(ii)(D), 164.308(b)(1), 164.310(d), 164.312(a)(1), 164.312(a)(2)(iii), 164.312(a)(2)(iv), 164.312(b), 164.312(c), 164.314(b)(2)(i), 164.312(d), SR 3.4, SR 4.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), SC-28, SC-28(1), SC-13, AU-9(3), PR.DS-1, PR.DS-5, SRG-OS-000405-GPOS-00184, SRG-OS-000185-GPOS-00079, SRG-OS-000404-GPOS-00183, RHEL-08-010030, SV-230224r599732_rule, SRG-OS-000404-VMM-001650, SRG-OS-000405-VMM-001660 |
| Description | Red Hat Enterprise Linux 8 natively supports partition encryption through the
Linux Unified Key Setup-on-disk-format (LUKS) technology. The easiest way to
encrypt a partition is during installation time.
For manual installations, select the Encrypt checkbox during
partition creation to encrypt the partition. When this
option is selected the system will prompt for a passphrase to use in
decrypting the partition. The passphrase will subsequently need to be entered manually
every time the system boots.
For automated/unattended installations, it is possible to use Kickstart by adding
the --encrypted and --passphrase= options to the definition of each partition to be
encrypted. For example, the following line would encrypt the root partition:
part / --fstype=ext4 --size=100 --onpart=hda1 --encrypted --passphrase=PASSPHRASE
Any PASSPHRASE is stored in the Kickstart in plaintext, and the Kickstart
must then be protected accordingly.
Omitting the --passphrase= option from the partition definition will cause the
installer to pause and interactively ask for the passphrase during installation.
By default, the Anaconda installer uses aes-xts-plain64 cipher
with a minimum 512 bit key size which should be compatible with FIPS enabled.
Detailed information on encrypting partitions using LUKS or LUKS ciphers can be found on
the Red Hat Enterprise Linux 8 Documentation web site:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/sec-Encryption.html. |
| Rationale | The risk of a system's physical compromise, particularly mobile systems such as
laptops, places its data at risk of compromise. Encrypting this data mitigates
the risk of its loss if the system is lost. |
Evaluation messagesinfo
No candidate or applicable check found. |
Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWDxccdf_org.ssgproject.content_rule_sudo_remove_nopasswd mediumCCE-82197-5
Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
| Rule ID | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sudo_remove_nopasswd:def:1 |
| Time | 2021-08-12T02:37:18+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-82197-5 References:
BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, RHEL-08-010380, SV-230271r599732_rule, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 |
| Description | The sudo NOPASSWD tag, when specified, allows a user to execute
commands using sudo without having to authenticate. This should be disabled
by making sure that the NOPASSWD tag does not exist in
/etc/sudoers configuration file or any sudo configuration snippets
in /etc/sudoers.d/. |
| Rationale | Without re-authentication, users may access resources or perform tasks for which they
do not have authorization.
When operating systems provide the capability to escalate a functional capability, it
is critical that the user re-authenticate. |
|
|
OVAL test results detailsNOPASSWD does not exist /etc/sudoers
oval:ssg-test_nopasswd_etc_sudoers:tst:1
false
Following items have been found on the system:
| Path | Content |
|---|
| /etc/sudoers | ec2-user ALL=(ALL) NOPASSWD: ALL |
NOPASSWD does not exist in /etc/sudoers.d
oval:ssg-test_nopasswd_etc_sudoers_d:tst:1
false
Following items have been found on the system:
| Path | Content |
|---|
| /etc/sudoers.d/90-cloud-init-users | ec2-user ALL=(ALL) NOPASSWD:ALL |
Ensure Users Re-Authenticate for Privilege Escalation - sudo !authenticatexccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate mediumCCE-82202-3
Ensure Users Re-Authenticate for Privilege Escalation - sudo !authenticate
| Rule ID | xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sudo_remove_no_authenticate:def:1 |
| Time | 2021-08-12T02:37:18+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-82202-3 References:
BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, RHEL-08-010381, SV-230272r599732_rule, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 |
| Description | The sudo !authenticate option, when specified, allows a user to execute commands using
sudo without having to authenticate. This should be disabled by making sure that the
!authenticate option does not exist in /etc/sudoers configuration file or
any sudo configuration snippets in /etc/sudoers.d/. |
| Rationale | Without re-authentication, users may access resources or perform tasks for which they
do not have authorization.
When operating systems provide the capability to escalate a functional capability, it
is critical that the user re-authenticate. |
OVAL test results details!authenticate does not exist in /etc/sudoers
oval:ssg-test_no_authenticate_etc_sudoers:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_no_authenticate_etc_sudoers:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/sudoers | ^(?!#).*[\s]+\!authenticate.*$ | 1 |
!authenticate does not exist in /etc/sudoers.d
oval:ssg-test_no_authenticate_etc_sudoers_d:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_no_authenticate_etc_sudoers_d:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /etc/sudoers.d | ^.*$ | ^(?!#).*[\s]+\!authenticate.*$ | 1 |
Set the GNOME3 Login Warning Banner Textxccdf_org.ssgproject.content_rule_dconf_gnome_login_banner_text mediumCCE-80770-1
Set the GNOME3 Login Warning Banner Text
| Rule ID | xccdf_org.ssgproject.content_rule_dconf_gnome_login_banner_text |
| Result | |
| Multi-check rule | no |
| Time | 2021-08-12T02:37:18+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-80770-1 References:
1.8.2, 1, 12, 15, 16, DSS05.04, DSS05.10, DSS06.10, 3.1.9, CCI-000048, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, AC-8(a), AC-8(c), PR.AC-7, FMT_MOF_EXT.1, SRG-OS-000023-GPOS-00006, SRG-OS-000024-GPOS-00007, SRG-OS-000228-GPOS-00088, RHEL-08-010050, SV-230226r599732_rule |
| Description | In the default graphical environment, configuring the login warning banner text
in the GNOME Display Manager's login screen can be configured on the login
screen by setting banner-message-text to 'APPROVED_BANNER'
where APPROVED_BANNER is the approved banner for your environment.
To enable, add or edit banner-message-text to
/etc/dconf/db/gdm.d/00-security-settings. For example:
[org/gnome/login-screen]
banner-message-text='APPROVED_BANNER'
Once the setting has been added, add a lock to
/etc/dconf/db/gdm.d/locks/00-security-settings-lock to prevent user modification.
For example:
/org/gnome/login-screen/banner-message-text
After the settings have been set, run dconf update.
When entering a warning banner that spans several lines, remember
to begin and end the string with ' and use \n for new lines. |
| Rationale | An appropriate warning message reinforces policy awareness during the logon
process and facilitates possible legal action against attackers. |
Enable GNOME3 Login Warning Bannerxccdf_org.ssgproject.content_rule_dconf_gnome_banner_enabled mediumCCE-80768-5
Enable GNOME3 Login Warning Banner
| Rule ID | xccdf_org.ssgproject.content_rule_dconf_gnome_banner_enabled |
| Result | |
| Multi-check rule | no |
| Time | 2021-08-12T02:37:18+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-80768-5 References:
1.8.2, 1, 12, 15, 16, DSS05.04, DSS05.10, DSS06.10, 3.1.9, CCI-000048, CCI-000050, CCI-001384, CCI-001385, CCI-001386, CCI-001387, CCI-001388, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, AC-8(a), AC-8(b), AC-8(c), PR.AC-7, FMT_MOF_EXT.1, SRG-OS-000023-GPOS-00006, SRG-OS-000024-GPOS-00007, SRG-OS-000228-GPOS-00088 |
| Description | In the default graphical environment, displaying a login warning banner
in the GNOME Display Manager's login screen can be enabled on the login
screen by setting banner-message-enable to true.
To enable, add or edit banner-message-enable to
/etc/dconf/db/gdm.d/00-security-settings. For example:
[org/gnome/login-screen]
banner-message-enable=true
Once the setting has been added, add a lock to
/etc/dconf/db/gdm.d/locks/00-security-settings-lock to prevent user modification.
For example:
/org/gnome/login-screen/banner-message-enable
After the settings have been set, run dconf update.
The banner text must also be set. |
| Rationale | Display of a standardized and approved use notification before granting access to the operating system
ensures privacy and security notification verbiage used is consistent with applicable federal laws,
Executive Orders, directives, policies, regulations, standards, and guidance.
For U.S. Government systems, system use notifications are required only for access via login interfaces
with human users and are not required when such human interfaces do not exist. |
Modify the System Login Bannerxccdf_org.ssgproject.content_rule_banner_etc_issue mediumCCE-80763-6
Modify the System Login Banner
| Rule ID | xccdf_org.ssgproject.content_rule_banner_etc_issue |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-banner_etc_issue:def:1 |
| Time | 2021-08-12T02:37:18+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-80763-6 References:
1.8.1.2, 1, 12, 15, 16, DSS05.04, DSS05.10, DSS06.10, 3.1.9, CCI-000048, CCI-000050, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, AC-8(a), AC-8(c), PR.AC-7, FMT_MOF_EXT.1, SRG-OS-000023-GPOS-00006, SRG-OS-000024-GPOS-00007, RHEL-08-010060, SV-230227r599732_rule, SRG-OS-000023-VMM-000060, SRG-OS-000024-VMM-000070 |
| Description | To configure the system login banner edit /etc/issue. Replace the
default text with a message compliant with the local site policy or a legal
disclaimer.
The DoD required text is either:
You are accessing a U.S. Government (USG) Information System (IS) that
is provided for USG-authorized use only. By using this IS (which includes
any device attached to this IS), you consent to the following conditions:
-The USG routinely intercepts and monitors communications on this IS
for purposes including, but not limited to, penetration testing, COMSEC
monitoring, network operations and defense, personnel misconduct (PM), law
enforcement (LE), and counterintelligence (CI) investigations.
-At any time, the USG may inspect and seize data stored on this IS.
-Communications using, or data stored on, this IS are not private,
are subject to routine monitoring, interception, and search, and may be
disclosed or used for any USG-authorized purpose.
-This IS includes security measures (e.g., authentication and access
controls) to protect USG interests -- not for your personal benefit or
privacy.
-Notwithstanding the above, using this IS does not constitute consent
to PM, LE or CI investigative searching or monitoring of the content of
privileged communications, or work product, related to personal
representation or services by attorneys, psychotherapists, or clergy, and
their assistants. Such communications and work product are private and
confidential. See User Agreement for details.
OR:
I've read & consent to terms in IS user agreem't. |
| Rationale | Display of a standardized and approved use notification before granting
access to the operating system ensures privacy and security notification
verbiage used is consistent with applicable federal laws, Executive Orders,
directives, policies, regulations, standards, and guidance.
System use notifications are required only for access via login interfaces
with human users and are not required when such human interfaces do not
exist. |
OVAL test results detailscorrect banner in /etc/issue
oval:ssg-test_banner_etc_issue:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/issue | You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.
By using this IS (which includes any device attached to this IS), you consent to the following conditions:
-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.
-At any time, the USG may inspect and seize data stored on this IS.
-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.
-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.
-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.
|
Set Password Hashing Algorithm in /etc/login.defsxccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_logindefs mediumCCE-80892-3
Set Password Hashing Algorithm in /etc/login.defs
| Rule ID | xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_logindefs |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-set_password_hashing_algorithm_logindefs:def:1 |
| Time | 2021-08-12T02:37:18+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-80892-3 References:
BP28(R32), 6.3.1, 1, 12, 15, 16, 5, 5.6.2.2, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, 3.13.11, CCI-000196, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, 0418, 1055, 1402, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-5(c), IA-5(1)(c), CM-6(a), PR.AC-1, PR.AC-6, PR.AC-7, Req-8.2.1, SRG-OS-000073-GPOS-00041, RHEL-08-010110, SV-230231r599732_rule |
| Description | In /etc/login.defs, add or correct the following line to ensure
the system will use SHA-512 as the hashing algorithm:
ENCRYPT_METHOD SHA512 |
| Rationale | Passwords need to be protected at all times, and encryption is the standard method for protecting passwords.
If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords
that are encrypted with a weak algorithm are no more protected than if they are kept in plain text.
Using a stronger hashing algorithm makes password cracking attacks more difficult. |
OVAL test results detailsThe value of ENCRYPT_METHOD should be set appropriately in /etc/login.defs
oval:ssg-test_etc_login_defs_encrypt_method:tst:1
true
Following items have been found on the system:
| Var ref | Value |
|---|
| oval:ssg-variable_last_encrypt_method_instance_value:var:1 | SHA512 |
Set PAM's Password Hashing Algorithmxccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_systemauth mediumCCE-80893-1
Set PAM's Password Hashing Algorithm
| Rule ID | xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_systemauth |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-set_password_hashing_algorithm_systemauth:def:1 |
| Time | 2021-08-12T02:37:18+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-80893-1 References:
5.4.4, 1, 12, 15, 16, 5, 5.6.2.2, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, 3.13.11, CCI-000196, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, 0418, 1055, 1402, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-5(c), IA-5(1)(c), CM-6(a), PR.AC-1, PR.AC-6, PR.AC-7, Req-8.2.1, SRG-OS-000073-GPOS-00041, SRG-OS-000480-VMM-002000 |
| Description | The PAM system service can be configured to only store encrypted
representations of passwords. In /etc/pam.d/system-auth, the
password section of the file controls which PAM modules execute
during a password change. Set the pam_unix.so module in the
password section to include the argument sha512, as shown
below:
password sufficient pam_unix.so sha512 other arguments...
This will help ensure when local users change their passwords, hashes for
the new passwords will be generated using the SHA-512 algorithm. This is
the default. |
| Rationale | Passwords need to be protected at all times, and encryption is the standard
method for protecting passwords. If passwords are not encrypted, they can
be plainly read (i.e., clear text) and easily compromised. Passwords that
are encrypted with a weak algorithm are no more protected than if they are
kepy in plain text.
This setting ensures user and group account administration utilities are
configured to store only encrypted representations of passwords.
Additionally, the crypt_style configuration option ensures the use
of a strong hashing algorithm that makes password cracking attacks more
difficult. |
OVAL test results detailscheck /etc/pam.d/system-auth for correct settings
oval:ssg-test_pam_unix_sha512:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/pam.d/system-auth | password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok remember=5 |
Limit Password Reusexccdf_org.ssgproject.content_rule_accounts_password_pam_unix_remember mediumCCE-80666-1
Limit Password Reuse
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_remember |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-accounts_password_pam_unix_remember:def:1 |
| Time | 2021-08-12T02:37:18+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-80666-1 References:
5.3.3, 1, 12, 15, 16, 5, 5.6.2.1.1, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, 3.5.8, CCI-000200, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-5(f), IA-5(1)(e), PR.AC-1, PR.AC-6, PR.AC-7, Req-8.2.5, SRG-OS-000077-GPOS-00045, RHEL-08-020220, SV-230368r599732_rule, SRG-OS-000077-VMM-000440 |
| Description | Do not allow users to reuse recent passwords. This can be
accomplished by using the remember option for the pam_unix
or pam_pwhistory PAM modules.
In the file /etc/pam.d/system-auth, append remember=5
to the line which refers to the pam_unix.so or pam_pwhistory.somodule, as shown below:
The DoD STIG requirement is 5 passwords. |
| Rationale | Preventing re-use of previous passwords helps ensure that a compromised password is not re-used by a user. |
OVAL test results detailsTest if remember attribute of pam_unix.so is set correctly in /etc/pam.d/system-auth
oval:ssg-test_accounts_password_pam_unix_remember:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/pam.d/system-auth | password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok remember=5 |
Test if remember attribute of pam_pwhistory.so is set correctly in /etc/pam.d/system-auth
oval:ssg-test_accounts_password_pam_pwhistory_remember:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_password_pam_pwhistory_remember:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/pam.d/system-auth | ^\s*password\s+(?:(?:requisite)|(?:required))\s+pam_pwhistory\.so.*remember=([0-9]*).*$ | 1 |
Set Deny For Failed Password Attemptsxccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny mediumCCE-80667-9
Set Deny For Failed Password Attempts
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-accounts_passwords_pam_faillock_deny:def:1 |
| Time | 2021-08-12T02:37:18+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-80667-9 References:
5.3.2, 1, 12, 15, 16, 5.5.3, DSS05.04, DSS05.10, DSS06.10, 3.1.8, CCI-000044, CCI-002236, CCI-002237, CCI-002238, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, CM-6(a), AC-7(a), PR.AC-7, FIA_AFL.1, Req-8.1.6, SRG-OS-000329-GPOS-00128, SRG-OS-000021-GPOS-00005, RHEL-08-020010, SV-230332r599827_rule, SRG-OS-000021-VMM-000050 |
| Description | To configure the system to lock out accounts after a number of incorrect login
attempts using pam_faillock.so, modify the content of both
/etc/pam.d/system-auth and /etc/pam.d/password-auth as follows:
- add the following line immediately
before the pam_unix.so statement in the AUTH section:
auth required pam_faillock.so preauth silent deny=3 unlock_time=0 fail_interval=900 - add the following line immediately
after the pam_unix.so statement in the AUTH section:
auth [default=die] pam_faillock.so authfail deny=3 unlock_time=0 fail_interval=900 - add the following line immediately
before the pam_unix.so statement in the ACCOUNT section:
account required pam_faillock.so
|
| Rationale | Locking out user accounts after a number of incorrect attempts
prevents direct password guessing attacks. |
OVAL test results detailsCheck pam_faillock.so preauth silent present, with correct deny value, and is followed by pam_unix.
oval:ssg-test_accounts_passwords_pam_faillock_preauth_silent_system-auth:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/pam.d/system-auth |
auth required pam_faillock.so preauth silent deny=3 fail_interval=900 even_deny_root unlock_time=0
auth sufficient pam_unix.so try_first_pass
|
Check if pam_faillock.so is called in account phase before pam_unix
oval:ssg-test_accounts_passwords_pam_faillock_account_phase_system-auth:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/pam.d/system-auth |
account required pam_faillock.so
account required pam_unix.so
|
Check pam_faillock.so preauth silent present in /etc/pam.d/password-auth, has correct deny value, and is followed by pam_unix
oval:ssg-test_accounts_passwords_pam_faillock_preauth_silent_password-auth:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/pam.d/password-auth |
auth required pam_faillock.so preauth silent deny=3 fail_interval=900 even_deny_root unlock_time=0
auth sufficient pam_unix.so try_first_pass
|
Check if pam_faillock_so is called in account phase before pam_unix.
oval:ssg-test_accounts_passwords_pam_faillock_account_phase_password-auth:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/pam.d/password-auth |
account required pam_faillock.so
account required pam_unix.so
|
Checks if pam_faillock authfail is hit even if pam_unix skips lines by defaulting, and also authfail deny value
oval:ssg-test_accounts_passwords_pam_faillock_numeric_default_check_system-auth:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_when_lines_skipped_system-auth:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| 3Referenced variable has no values (oval:ssg-var_accounts_passwords_pam_faillock_preauth_default_lin | /etc/pam.d/system-auth | 1 |
Check control values of pam_unix, that it is followed by pam_faillock.so authfail and deny value of pam_faillock.so authfail
oval:ssg-test_accounts_passwords_pam_faillock_authfail_deny_system-auth:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/pam.d/system-auth |
auth sufficient pam_unix.so try_first_pass
auth [default=die] pam_faillock.so authfail deny=3 |
Checks if pam_faillock authfail is hit even if pam_unix skips lines by defaulting, and also authfail deny value
oval:ssg-test_accounts_passwords_pam_faillock_numeric_default_check_password-auth:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_when_lines_skipped_password-auth:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| 3Referenced variable has no values (oval:ssg-var_accounts_passwords_pam_faillock_preauth_default_lin | /etc/pam.d/password-auth | 1 |
Check pam_faillock authfail is present after pam_unix, check pam_unix has proper control values, and authfail deny value is correct.
oval:ssg-test_accounts_passwords_pam_faillock_authfail_deny_password-auth:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/pam.d/password-auth |
auth sufficient pam_unix.so try_first_pass
auth [default=die] pam_faillock.so authfail deny=3 |
Set Interval For Counting Failed Password Attemptsxccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_interval mediumCCE-80669-5
Set Interval For Counting Failed Password Attempts
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_interval |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-accounts_passwords_pam_faillock_interval:def:1 |
| Time | 2021-08-12T02:37:18+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-80669-5 References:
1, 12, 15, 16, DSS05.04, DSS05.10, DSS06.10, CCI-000044, CCI-002236, CCI-002237, CCI-002238, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, CM-6(a), AC-7(a), PR.AC-7, FIA_AFL.1, SRG-OS-000329-GPOS-00128, SRG-OS-000021-GPOS-00005, RHEL-08-020012, SV-230334r599829_rule, SRG-OS-000021-VMM-000050 |
| Description | Utilizing pam_faillock.so, the fail_interval directive
configures the system to lock out an account after a number of incorrect
login attempts within a specified time period. Modify the content of both
/etc/pam.d/system-auth and /etc/pam.d/password-auth
as follows:
- Add the following line immediately
before the
pam_unix.so statement in the AUTH section:
auth required pam_faillock.so preauth silent deny=3 unlock_time=0 fail_interval=900
- Add the following line immediately
after the
pam_unix.so statement in the AUTH section:
auth [default=die] pam_faillock.so authfail deny=3 unlock_time=0 fail_interval=900
- Add the following line immediately
before the
pam_unix.so statement in the ACCOUNT section:
account required pam_faillock.so
|
| Rationale | By limiting the number of failed logon attempts the risk of unauthorized system
access via user password guessing, otherwise known as brute-forcing, is reduced.
Limits are imposed by locking the account. |
OVAL test results detailscheck maximum preauth fail_interval allowed in /etc/pam.d/system-auth
oval:ssg-test_accounts_passwords_pam_faillock_fail_interval_system-auth:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/pam.d/system-auth | auth required pam_faillock.so preauth silent deny=3 fail_interval=900 even_deny_root unlock_time=0 |
check maximum authfail fail_interval allowed in /etc/pam.d/system-auth
oval:ssg-test_accounts_passwords_pam_faillock_authfail_fail_interval_system-auth:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/pam.d/system-auth | auth [default=die] pam_faillock.so authfail deny=3 fail_interval=900 even_deny_root unlock_time=0 |
check maximum authfail fail_interval allowed in /etc/pam.d/password-auth
oval:ssg-test_accounts_passwords_pam_faillock_fail_interval_password-auth:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/pam.d/password-auth | auth [default=die] pam_faillock.so authfail deny=3 fail_interval=900 even_deny_root unlock_time=0 |
check maximum preauth fail_interval allowed in /etc/pam.d/password-auth
oval:ssg-test_accounts_passwords_pam_faillock_preauth_fail_interval_password-auth:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/pam.d/password-auth | auth required pam_faillock.so preauth silent deny=3 fail_interval=900 even_deny_root unlock_time=0 |
check if pam_faillock.so is required in account section in /etc/pam.d/password-auth
oval:ssg-test_accounts_passwords_pam_faillock_account_requires_password-auth:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/pam.d/password-auth |
account required pam_faillock.so |
check if pam_faillock.so is required in account section in /etc/pam.d/system-auth
oval:ssg-test_accounts_passwords_pam_faillock_account_requires_system-auth:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/pam.d/system-auth |
account required pam_faillock.so |
Configure the root Account for Failed Password Attemptsxccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny_root mediumCCE-80668-7
Configure the root Account for Failed Password Attempts
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny_root |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-accounts_passwords_pam_faillock_deny_root:def:1 |
| Time | 2021-08-12T02:37:18+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-80668-7 References:
1, 12, 15, 16, DSS05.04, DSS05.10, DSS06.10, CCI-002238, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, CM-6(a), AC-7(b), IA-5(c), PR.AC-7, FMT_MOF_EXT.1, SRG-OS-000329-GPOS-00128, SRG-OS-000021-GPOS-00005, RHEL-08-020022, SV-230344r599839_rule |
| Description | To configure the system to lock out the root account after a
number of incorrect login attempts using pam_faillock.so, modify
the content of both /etc/pam.d/system-auth and
/etc/pam.d/password-auth as follows:
|
| Rationale | By limiting the number of failed logon attempts, the risk of unauthorized system access via user password
guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account. |
OVAL test results detailsCheck pam_faillock.so preauth silent present in /etc/pam.d/system-auth
oval:ssg-test_pam_faillock_preauth_silent_system-auth:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/pam.d/system-auth |
auth required pam_faillock.so preauth silent deny=3 fail_interval=900 even_deny_root unlock_time=0
auth sufficient pam_unix.so try_first_pass
|
Check maximum failed login attempts allowed in /etc/pam.d/system-auth (authfail)
oval:ssg-test_pam_faillock_authfail_deny_root_system-auth:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/pam.d/system-auth |
auth sufficient pam_unix.so try_first_pass
auth [default=die] pam_faillock.so authfail deny=3 fail_interval=900 even_deny_root unlock_time=0
|
Check pam_faillock.so preauth silent present in /etc/pam.d/password-auth
oval:ssg-test_pam_faillock_preauth_silent_password-auth:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/pam.d/password-auth |
auth required pam_faillock.so preauth silent deny=3 fail_interval=900 even_deny_root unlock_time=0
auth sufficient pam_unix.so try_first_pass
|
Check maximum failed login attempts allowed in /etc/pam.d/password-auth (authfail)
oval:ssg-test_pam_faillock_authfail_deny_root_password-auth:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/pam.d/password-auth |
auth sufficient pam_unix.so try_first_pass
auth [default=die] pam_faillock.so authfail deny=3 fail_interval=900 even_deny_root unlock_time=0
|
Set Lockout Time for Failed Password Attemptsxccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time mediumCCE-80670-3
Set Lockout Time for Failed Password Attempts
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-accounts_passwords_pam_faillock_unlock_time:def:1 |
| Time | 2021-08-12T02:37:18+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-80670-3 References:
5.3.2, 1, 12, 15, 16, 5.5.3, DSS05.04, DSS05.10, DSS06.10, 3.1.8, CCI-000044, CCI-002236, CCI-002237, CCI-002238, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, CM-6(a), AC-7(b), PR.AC-7, FIA_AFL.1, Req-8.1.7, SRG-OS-000329-GPOS-00128, SRG-OS-000021-GPOS-00005, RHEL-08-020014, SV-230336r599831_rule, SRG-OS-000329-VMM-001180 |
| Description | To configure the system to lock out accounts after a number of incorrect login
attempts and require an administrator to unlock the account using pam_faillock.so,
modify the content of both /etc/pam.d/system-auth and /etc/pam.d/password-auth as follows:
- add the following line immediately
before the pam_unix.so statement in the AUTH section:
auth required pam_faillock.so preauth silent deny=3 unlock_time=0 fail_interval=900 - add the following line immediately
after the pam_unix.so statement in the AUTH section:
auth [default=die] pam_faillock.so authfail deny=3 unlock_time=0 fail_interval=900 - add the following line immediately
before the pam_unix.so statement in the ACCOUNT section:
account required pam_faillock.so
If unlock_time is set to 0, manual intervention by an administrator is required to unlock a user. |
| Rationale | Locking out user accounts after a number of incorrect attempts
prevents direct password guessing attacks. Ensuring that an administrator is
involved in unlocking locked accounts draws appropriate attention to such
situations. |
OVAL test results detailsCheck if external variable unlock time is never
oval:ssg-test_var_faillock_unlock_time_is_never:tst:1
true
Following items have been found on the system:
| Var ref | Value |
|---|
| oval:ssg-var_accounts_passwords_pam_faillock_unlock_time:var:1 | 0 |
Check if unlock time is never
oval:ssg-test_accounts_passwords_pam_faillock_unlock_time_is_never:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/pam.d/password-auth | auth [default=die] pam_faillock.so authfail deny=3 fail_interval=900 even_deny_root unlock_time=0 |
| /etc/pam.d/system-auth | auth required pam_faillock.so preauth silent deny=3 fail_interval=900 even_deny_root unlock_time=0 |
| /etc/pam.d/system-auth | auth [default=die] pam_faillock.so authfail deny=3 fail_interval=900 even_deny_root unlock_time=0 |
| /etc/pam.d/password-auth | auth required pam_faillock.so preauth silent deny=3 fail_interval=900 even_deny_root unlock_time=0 |
Check if external variable unlock time is never
oval:ssg-test_var_faillock_unlock_time_is_never:tst:1
true
Following items have been found on the system:
| Var ref | Value |
|---|
| oval:ssg-var_accounts_passwords_pam_faillock_unlock_time:var:1 | 0 |
Check if unlock time is never, or greater than or equal external variable
oval:ssg-test_accounts_passwords_pam_faillock_unlock_time_greater_or_equal_ext_var:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/pam.d/password-auth | auth [default=die] pam_faillock.so authfail deny=3 fail_interval=900 even_deny_root unlock_time=0 |
| /etc/pam.d/system-auth | auth required pam_faillock.so preauth silent deny=3 fail_interval=900 even_deny_root unlock_time=0 |
| /etc/pam.d/system-auth | auth [default=die] pam_faillock.so authfail deny=3 fail_interval=900 even_deny_root unlock_time=0 |
| /etc/pam.d/password-auth | auth required pam_faillock.so preauth silent deny=3 fail_interval=900 even_deny_root unlock_time=0 |
Ensure PAM Enforces Password Requirements - Minimum Lengthxccdf_org.ssgproject.content_rule_accounts_password_pam_minlen mediumCCE-80656-2
Ensure PAM Enforces Password Requirements - Minimum Length
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_password_pam_minlen |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-accounts_password_pam_minlen:def:1 |
| Time | 2021-08-12T02:37:18+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-80656-2 References:
6.3.2, 1, 12, 15, 16, 5, 5.6.2.1.1, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, CCI-000205, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-5(c), IA-5(1)(a), CM-6(a), IA-5(4), PR.AC-1, PR.AC-6, PR.AC-7, FMT_MOF_EXT.1, Req-8.2.3, SRG-OS-000078-GPOS-00046, RHEL-08-020230, SV-230369r599732_rule, SRG-OS-000072-VMM-000390, SRG-OS-000078-VMM-000450 |
| Description | The pam_pwquality module's minlen parameter controls requirements for
minimum characters required in a password. Add minlen=15
after pam_pwquality to set minimum password length requirements. |
| Rationale | The shorter the password, the lower the number of possible combinations
that need to be tested before the password is compromised.
Password complexity, or strength, is a measure of the effectiveness of a
password in resisting attempts at guessing and brute-force attacks.
Password length is one factor of several that helps to determine strength
and how long it takes to crack a password. Use of more characters in a password
helps to exponentially increase the time and/or resources required to
compromose the password. |
OVAL test results detailscheck the configuration of /etc/pam.d/system-auth
oval:ssg-test_password_pam_pwquality:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/pam.d/system-auth |
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 |
check the configuration of /etc/security/pwquality.conf
oval:ssg-test_password_pam_pwquality_minlen:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/security/pwquality.conf | minlen = 15
|
Ensure PAM Enforces Password Requirements - Minimum Special Charactersxccdf_org.ssgproject.content_rule_accounts_password_pam_ocredit mediumCCE-80663-8
Ensure PAM Enforces Password Requirements - Minimum Special Characters
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_password_pam_ocredit |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-accounts_password_pam_ocredit:def:1 |
| Time | 2021-08-12T02:37:18+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-80663-8 References:
1, 12, 15, 16, 5, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, CCI-001619, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-5(c), IA-5(1)(a), CM-6(a), IA-5(4), PR.AC-1, PR.AC-6, PR.AC-7, FMT_MOF_EXT.1, SRG-OS-000266-GPOS-00101, RHEL-08-020280, SV-230375r599732_rule, SRG-OS-000266-VMM-000940 |
| Description | The pam_pwquality module's ocredit= parameter controls requirements for
usage of special (or "other") characters in a password. When set to a negative number,
any password will be required to contain that many special characters.
When set to a positive number, pam_pwquality will grant +1
additional length credit for each special character. Modify the ocredit setting
in /etc/security/pwquality.conf to equal -1
to require use of a special character in passwords. |
| Rationale | Use of a complex password helps to increase the time and resources required
to compromise the password. Password complexity, or strength, is a measure of
the effectiveness of a password in resisting attempts at guessing and brute-force
attacks.
Password complexity is one factor of several that determines how long it takes
to crack a password. The more complex the password, the greater the number of
possble combinations that need to be tested before the password is compromised.
Requiring a minimum number of special characters makes password guessing attacks
more difficult by ensuring a larger search space. |
OVAL test results detailscheck the configuration of /etc/pam.d/system-auth
oval:ssg-test_password_pam_pwquality:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/pam.d/system-auth |
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 |
check the configuration of /etc/security/pwquality.conf
oval:ssg-test_password_pam_pwquality_ocredit:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/security/pwquality.conf | ocredit = -1
|
Ensure PAM Enforces Password Requirements - Minimum Uppercase Charactersxccdf_org.ssgproject.content_rule_accounts_password_pam_ucredit mediumCCE-80665-3
Ensure PAM Enforces Password Requirements - Minimum Uppercase Characters
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_password_pam_ucredit |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-accounts_password_pam_ucredit:def:1 |
| Time | 2021-08-12T02:37:18+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-80665-3 References:
6.3.2, 1, 12, 15, 16, 5, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, CCI-000192, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-5(c), IA-5(1)(a), CM-6(a), IA-5(4), PR.AC-1, PR.AC-6, PR.AC-7, FMT_MOF_EXT.1, Req-8.2.3, SRG-OS-000069-GPOS-00037, RHEL-08-020110, SV-230357r599732_rule, SRG-OS-000069-VMM-000360 |
| Description | The pam_pwquality module's ucredit= parameter controls requirements for
usage of uppercase letters in a password. When set to a negative number, any password will be required to
contain that many uppercase characters. When set to a positive number, pam_pwquality will grant +1 additional
length credit for each uppercase character. Modify the ucredit setting in
/etc/security/pwquality.conf to require the use of an uppercase character in passwords. |
| Rationale | Use of a complex password helps to increase the time and resources reuiqred to compromise the password.
Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts
at guessing and brute-force attacks.
Password complexity is one factor of several that determines how long it takes to crack a password. The more
complex the password, the greater the number of possible combinations that need to be tested before
the password is compromised. |
OVAL test results detailscheck the configuration of /etc/pam.d/system-auth
oval:ssg-test_password_pam_pwquality:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/pam.d/system-auth |
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 |
check the configuration of /etc/security/pwquality.conf
oval:ssg-test_password_pam_pwquality_ucredit:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/security/pwquality.conf | ucredit = -1
|
Ensure PAM Enforces Password Requirements - Minimum Digit Charactersxccdf_org.ssgproject.content_rule_accounts_password_pam_dcredit mediumCCE-80653-9
Ensure PAM Enforces Password Requirements - Minimum Digit Characters
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_password_pam_dcredit |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-accounts_password_pam_dcredit:def:1 |
| Time | 2021-08-12T02:37:18+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-80653-9 References:
6.3.2, 1, 12, 15, 16, 5, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, CCI-000194, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-5(c), IA-5(1)(a), CM-6(a), IA-5(4), PR.AC-1, PR.AC-6, PR.AC-7, FMT_MOF_EXT.1, Req-8.2.3, SRG-OS-000071-GPOS-00039, RHEL-08-020130, SV-230359r599732_rule, SRG-OS-000071-VMM-000380 |
| Description | The pam_pwquality module's dcredit parameter controls requirements for
usage of digits in a password. When set to a negative number, any password will be required to
contain that many digits. When set to a positive number, pam_pwquality will grant +1 additional
length credit for each digit. Modify the dcredit setting in
/etc/security/pwquality.conf to require the use of a digit in passwords. |
| Rationale | Use of a complex password helps to increase the time and resources required
to compromise the password. Password complexity, or strength, is a measure of
the effectiveness of a password in resisting attempts at guessing and brute-force
attacks.
Password complexity is one factor of several that determines how long it takes
to crack a password. The more complex the password, the greater the number of
possible combinations that need to be tested before the password is compromised.
Requiring digits makes password guessing attacks more difficult by ensuring a larger
search space. |
OVAL test results detailscheck the configuration of /etc/pam.d/system-auth
oval:ssg-test_password_pam_pwquality:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/pam.d/system-auth |
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 |
check the configuration of /etc/security/pwquality.conf
oval:ssg-test_password_pam_pwquality_dcredit:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/security/pwquality.conf | dcredit = -1
|
Ensure PAM Enforces Password Requirements - Authentication Retry Prompts Permitted Per-Sessionxccdf_org.ssgproject.content_rule_accounts_password_pam_retry mediumCCE-80664-6
Ensure PAM Enforces Password Requirements - Authentication Retry Prompts Permitted Per-Session
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_password_pam_retry |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-accounts_password_pam_retry:def:1 |
| Time | 2021-08-12T02:37:18+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-80664-6 References:
6.3.2, 1, 11, 12, 15, 16, 3, 5, 9, 5.5.3, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, CCI-000192, CCI-000366, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, CM-6(a), AC-7(a), IA-5(4), PR.AC-1, PR.AC-6, PR.AC-7, PR.IP-1, FMT_MOF_EXT.1, SRG-OS-000480-GPOS-00225, RHEL-08-020100, SV-230356r599732_rule |
| Description | To configure the number of retry prompts that are permitted per-session:
Edit the pam_pwquality.so statement in /etc/pam.d/system-auth to
show retry=3, or a lower value if
site policy is more restrictive.
The DoD requirement is a maximum of 3 prompts per session. |
| Rationale | Setting the password retry prompts that are permitted on a per-session basis to a low value
requires some software, such as SSH, to re-connect. This can slow down and
draw additional attention to some types of password-guessing attacks. Note that this
is different from account lockout, which is provided by the pam_faillock module. |
OVAL test results detailscheck the configuration of /etc/pam.d/system-auth
oval:ssg-test_password_pam_pwquality_retry:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/pam.d/system-auth |
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 |
Ensure PAM Enforces Password Requirements - Maximum Consecutive Repeating Characters from Same Character Classxccdf_org.ssgproject.content_rule_accounts_password_pam_maxclassrepeat mediumCCE-81034-1
Ensure PAM Enforces Password Requirements - Maximum Consecutive Repeating Characters from Same Character Class
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_password_pam_maxclassrepeat |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-accounts_password_pam_maxclassrepeat:def:1 |
| Time | 2021-08-12T02:37:18+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-81034-1 References:
1, 12, 15, 16, 5, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, CCI-000195, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-5(c), IA-5(1)(a), CM-6(a), IA-5(4), PR.AC-1, PR.AC-6, PR.AC-7, SRG-OS-000072-GPOS-00040, RHEL-08-020140, SV-230360r599732_rule |
| Description | The pam_pwquality module's maxclassrepeat parameter controls requirements for
consecutive repeating characters from the same character class. When set to a positive number, it will reject passwords
which contain more than that number of consecutive characters from the same character class. Modify the
maxclassrepeat setting in /etc/security/pwquality.conf to equal 4
to prevent a run of ( 4 + 1) or more identical characters. |
| Rationale | Use of a complex password helps to increase the time and resources required to comrpomise the password.
Password complexity, or strength, is a measure of the effectiveness of a password in resisting
attempts at guessing and brute-force attacks.
Password complexity is one factor of several that determines how long it takes to crack a password. The
more complex a password, the greater the number of possible combinations that need to be tested before the
password is compromised. |
OVAL test results detailscheck the configuration of /etc/pam.d/system-auth
oval:ssg-test_password_pam_pwquality:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/pam.d/system-auth |
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 |
check the configuration of /etc/security/pwquality.conf
oval:ssg-test_password_pam_pwquality_maxclassrepeat:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/security/pwquality.conf | maxclassrepeat = 4
|
Ensure PAM Enforces Password Requirements - Minimum Different Categoriesxccdf_org.ssgproject.content_rule_accounts_password_pam_minclass mediumCCE-82046-4
Ensure PAM Enforces Password Requirements - Minimum Different Categories
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_password_pam_minclass |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-accounts_password_pam_minclass:def:1 |
| Time | 2021-08-12T02:37:18+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-82046-4 References:
1, 12, 15, 16, 5, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, CCI-000195, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-5(c), IA-5(1)(a), CM-6(a), IA-5(4), PR.AC-1, PR.AC-6, PR.AC-7, SRG-OS-000072-GPOS-00040, RHEL-08-020160, SV-230362r599732_rule |
| Description | The pam_pwquality module's minclass parameter controls
requirements for usage of different character classes, or types, of character
that must exist in a password before it is considered valid. For example,
setting this value to three (3) requires that any password must have characters
from at least three different categories in order to be approved. The default
value is zero (0), meaning there are no required classes. There are four
categories available:
* Upper-case characters
* Lower-case characters
* Digits
* Special characters (for example, punctuation)
Modify the minclass setting in /etc/security/pwquality.conf entry
to require 4
differing categories of characters when changing passwords. |
| Rationale | Use of a complex password helps to increase the time and resources required to compromise the password.
Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts
at guessing and brute-force attacks.
Password complexity is one factor of several that determines how long it takes to crack a password. The
more complex the password, the greater the number of possible combinations that need to be tested before
the password is compromised.
Requiring a minimum number of character categories makes password guessing attacks more difficult
by ensuring a larger search space. |
OVAL test results detailscheck the configuration of /etc/pam.d/system-auth
oval:ssg-test_password_pam_pwquality:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/pam.d/system-auth |
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 |
check the configuration of /etc/security/pwquality.conf
oval:ssg-test_password_pam_pwquality_minclass:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/security/pwquality.conf | minclass = 4
|
Set Password Maximum Consecutive Repeating Charactersxccdf_org.ssgproject.content_rule_accounts_password_pam_maxrepeat mediumCCE-82066-2
Set Password Maximum Consecutive Repeating Characters
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_password_pam_maxrepeat |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-accounts_password_pam_maxrepeat:def:1 |
| Time | 2021-08-12T02:37:18+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-82066-2 References:
1, 12, 15, 16, 5, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, CCI-000195, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-5(c), CM-6(a), IA-5(4), PR.AC-1, PR.AC-6, PR.AC-7, SRG-OS-000072-GPOS-00040, RHEL-08-020150, SV-230361r599732_rule |
| Description | The pam_pwquality module's maxrepeat parameter controls requirements for
consecutive repeating characters. When set to a positive number, it will reject passwords
which contain more than that number of consecutive characters. Modify the maxrepeat setting
in /etc/security/pwquality.conf to equal 3 to prevent a
run of ( 3 + 1) or more identical characters. |
| Rationale | Use of a complex password helps to increase the time and resources required to compromise the password.
Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at
guessing and brute-force attacks.
Password complexity is one factor of several that determines how long it takes to crack a password. The more
complex the password, the greater the number of possible combinations that need to be tested before the
password is compromised.
Passwords with excessive repeating characters may be more vulnerable to password-guessing attacks. |
OVAL test results detailscheck the configuration of /etc/pam.d/system-auth
oval:ssg-test_password_pam_pwquality:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/pam.d/system-auth |
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 |
check the configuration of /etc/security/pwquality.conf
oval:ssg-test_password_pam_pwquality_maxrepeat:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/security/pwquality.conf | maxrepeat = 3
|
Ensure PAM Enforces Password Requirements - Minimum Lowercase Charactersxccdf_org.ssgproject.content_rule_accounts_password_pam_lcredit mediumCCE-80655-4
Ensure PAM Enforces Password Requirements - Minimum Lowercase Characters
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_password_pam_lcredit |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-accounts_password_pam_lcredit:def:1 |
| Time | 2021-08-12T02:37:18+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-80655-4 References:
1, 12, 15, 16, 5, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, CCI-000193, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-5(c), IA-5(1)(a), CM-6(a), IA-5(4), PR.AC-1, PR.AC-6, PR.AC-7, FMT_MOF_EXT.1, Req-8.2.3, SRG-OS-000070-GPOS-00038, RHEL-08-020120, SV-230358r599732_rule, SRG-OS-000070-VMM-000370 |
| Description | The pam_pwquality module's lcredit parameter controls requirements for
usage of lowercase letters in a password. When set to a negative number, any password will be required to
contain that many lowercase characters. When set to a positive number, pam_pwquality will grant +1 additional
length credit for each lowercase character. Modify the lcredit setting in
/etc/security/pwquality.conf to require the use of a lowercase character in passwords. |
| Rationale | Use of a complex password helps to increase the time and resources required
to compromise the password. Password complexity, or strength, is a measure of
the effectiveness of a password in resisting attempts at guessing and brute-force
attacks.
Password complexity is one factor of several that determines how long it takes
to crack a password. The more complex the password, the greater the number of
possble combinations that need to be tested before the password is compromised.
Requiring a minimum number of lowercase characters makes password guessing attacks
more difficult by ensuring a larger search space. |
OVAL test results detailscheck the configuration of /etc/pam.d/system-auth
oval:ssg-test_password_pam_pwquality:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/pam.d/system-auth |
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 |
check the configuration of /etc/security/pwquality.conf
oval:ssg-test_password_pam_pwquality_lcredit:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/security/pwquality.conf | lcredit = -1
|
Ensure PAM Enforces Password Requirements - Minimum Different Charactersxccdf_org.ssgproject.content_rule_accounts_password_pam_difok mediumCCE-80654-7
Ensure PAM Enforces Password Requirements - Minimum Different Characters
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_password_pam_difok |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-accounts_password_pam_difok:def:1 |
| Time | 2021-08-12T02:37:18+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-80654-7 References:
1, 12, 15, 16, 5, 5.6.2.1.1, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, CCI-000195, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-5(c), IA-5(1)(b), CM-6(a), IA-5(4), PR.AC-1, PR.AC-6, PR.AC-7, SRG-OS-000072-GPOS-00040, RHEL-08-020170, SV-230363r599732_rule, SRG-OS-000072-VMM-000390 |
| Description | The pam_pwquality module's difok parameter sets the number of characters
in a password that must not be present in and old password during a password change.
Modify the difok setting in /etc/security/pwquality.conf
to equal 8 to require differing characters
when changing passwords. |
| Rationale | Use of a complex password helps to increase the time and resources
required to compromise the password. Password complexity, or strength,
is a measure of the effectiveness of a password in resisting attempts
at guessing and brute–force attacks.
Password complexity is one factor of several that determines how long
it takes to crack a password. The more complex the password, the
greater the number of possible combinations that need to be tested
before the password is compromised.
Requiring a minimum number of different characters during password changes ensures that
newly changed passwords should not resemble previously compromised ones.
Note that passwords which are changed on compromised systems will still be compromised, however. |
OVAL test results detailscheck the configuration of /etc/pam.d/system-auth
oval:ssg-test_password_pam_pwquality:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/pam.d/system-auth |
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 |
check the configuration of /etc/security/pwquality.conf
oval:ssg-test_password_pam_pwquality_difok:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/security/pwquality.conf | difok = 8
|
Ensure PAM Displays Last Logon/Access Notificationxccdf_org.ssgproject.content_rule_display_login_attempts lowCCE-80788-3
Ensure PAM Displays Last Logon/Access Notification
| Rule ID | xccdf_org.ssgproject.content_rule_display_login_attempts |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-display_login_attempts:def:1 |
| Time | 2021-08-12T02:37:18+00:00 |
| Severity | low |
| Identifiers and References | Identifiers:
CCE-80788-3 References:
1, 12, 15, 16, 5.5.2, DSS05.04, DSS05.10, DSS06.10, CCI-000366, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, 0582, 0584, 05885, 0586, 0846, 0957, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, AC-9(1), CM-6(a), PR.AC-7, Req-10.2.4, SRG-OS-000480-GPOS-00227, RHEL-08-020340, SV-230381r599732_rule |
| Description | To configure the system to notify users of last logon/access
using pam_lastlog, add or correct the pam_lastlog settings in
/etc/pam.d/postlogin to read as follows:
session [success=1 default=ignore] pam_succeed_if.so service !~ gdm* service !~ su* quiet
session [default=1] pam_lastlog.so nowtmp showfailed
session optional pam_lastlog.so silent noupdate showfailed |
| Rationale | Users need to be aware of activity that occurs regarding
their account. Providing users with information regarding the number
of unsuccessful attempts that were made to login to their account
allows the user to determine if any unauthorized activity has occurred
and gives them an opportunity to notify administrators. |
OVAL test results detailsCheck the pam_lastlog configuration
oval:ssg-test_display_login_attempts:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/pam.d/postlogin |
session [default=1] pam_lastlog.so nowtmp showfailed
session optional pam_lastlog.so silent noupdate showfailed
|
Install the opensc Package For Multifactor Authenticationxccdf_org.ssgproject.content_rule_package_opensc_installed mediumCCE-80846-9
Install the opensc Package For Multifactor Authentication
| Rule ID | xccdf_org.ssgproject.content_rule_package_opensc_installed |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-package_opensc_installed:def:1 |
| Time | 2021-08-12T02:37:18+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-80846-9 References:
CCI-001954, 1382, 1384, 1386, CM-6(a), SRG-OS-000375-GPOS-00160, RHEL-08-010410, SV-230275r599732_rule, SRG-OS-000376-VMM-001520 |
| Description | The opensc package can be installed with the following command:
$ sudo yum install opensc |
| Rationale | Using an authentication device, such as a CAC or token that is separate from
the information system, ensures that even if the information system is
compromised, that compromise will not affect credentials stored on the
authentication device.
Multifactor solutions that require devices separate from
information systems gaining access include, for example, hardware tokens
providing time-based or challenge-response authenticators and smart cards such
as the U.S. Government Personal Identity Verification card and the DoD Common
Access Card. |
OVAL test results detailspackage opensc is installed
oval:ssg-test_package_opensc_installed:tst:1
true
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| opensc | x86_64 | (none) | 4.el8 | 0.20.0 | 0:0.20.0-4.el8 | 199e2f91fd431d51 | opensc-0:0.20.0-4.el8.x86_64 |
Install Smart Card Packages For Multifactor Authenticationxccdf_org.ssgproject.content_rule_install_smartcard_packages mediumCCE-84029-8
Install Smart Card Packages For Multifactor Authentication
| Rule ID | xccdf_org.ssgproject.content_rule_install_smartcard_packages |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-install_smartcard_packages:def:1 |
| Time | 2021-08-12T02:37:18+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-84029-8 References:
CCI-000765, CCI-001948, CCI-001953, CCI-001954, CM-6(a), SRG-OS-000105-GPOS-00052, SRG-OS-000375-GPOS-00160, SRG-OS-000375-GPOS-00161, SRG-OS-000377-GPOS-00162, RHEL-08-010390, SV-230273r599732_rule |
| Description | Configure the operating system to implement multifactor authentication by
installing the required package with the following command:
The openssl-pkcs11 package can be installed with the following command:
$ sudo yum install openssl-pkcs11 |
| Rationale | Using an authentication device, such as a CAC or token that is separate from
the information system, ensures that even if the information system is
compromised, that compromise will not affect credentials stored on the
authentication device.
Multifactor solutions that require devices separate from
information systems gaining access include, for example, hardware tokens
providing time-based or challenge-response authenticators and smart cards such
as the U.S. Government Personal Identity Verification card and the DoD Common
Access Card. |
OVAL test results detailspackage openssl-pkcs11 is installed
oval:ssg-test_package_openssl-pkcs11_installed:tst:1
true
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| openssl-pkcs11 | x86_64 | (none) | 2.el8 | 0.4.10 | 0:0.4.10-2.el8 | 199e2f91fd431d51 | openssl-pkcs11-0:0.4.10-2.el8.x86_64 |
Install the tmux Packagexccdf_org.ssgproject.content_rule_package_tmux_installed mediumCCE-80644-8
Install the tmux Package
| Rule ID | xccdf_org.ssgproject.content_rule_package_tmux_installed |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-package_tmux_installed:def:1 |
| Time | 2021-08-12T02:37:18+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-80644-8 References:
1, 12, 15, 16, DSS05.04, DSS05.10, DSS06.10, 3.1.10, CCI-000058, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, CM-6(a), PR.AC-7, FMT_MOF_EXT.1, SRG-OS-000030-GPOS-00011, SRG-OS-000030-VMM-000110 |
| Description | To enable console screen locking, install the tmux package.
The tmux package can be installed with the following command:
$ sudo yum install tmux
Instruct users to begin new terminal sessions with the following command:
$ tmux
The console can now be locked with the following key combination:
ctrl+b :lock-session |
| Rationale | A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate
physical vicinity of the information system but does not logout because of the temporary nature of the absence.
Rather than relying on the user to manually lock their operation system session prior to vacating the vicinity,
operating systems need to be able to identify when a user's session has idled and take action to initiate the
session lock.
The tmux package allows for a session lock to be implemented and configured. |
OVAL test results detailspackage tmux is installed
oval:ssg-test_package_tmux_installed:tst:1
true
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| tmux | x86_64 | (none) | 1.el8 | 2.7 | 0:2.7-1.el8 | 199e2f91fd431d51 | tmux-0:2.7-1.el8.x86_64 |
Configure the tmux Lock Commandxccdf_org.ssgproject.content_rule_configure_tmux_lock_command mediumCCE-80940-0
Configure the tmux Lock Command
| Rule ID | xccdf_org.ssgproject.content_rule_configure_tmux_lock_command |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-configure_tmux_lock_command:def:1 |
| Time | 2021-08-12T02:37:18+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-80940-0 References:
CCI-000056, CCI-000058, AC-11(a), AC-11(b), CM-6(a), SRG-OS-000028-GPOS-00009, RHEL-08-020040, SV-230348r599732_rule, SRG-OS-000028-VMM-000090, SRG-OS-000030-VMM-000110 |
| Description | To enable console screen locking in tmux terminal multiplexer,
the vlock command must be configured to be used as a locking
mechanism.
Add the following line to /etc/tmux.conf:
set -g lock-command vlock .
The console can now be locked with the following key combination:
ctrl+b :lock-session |
| Rationale | The tmux package allows for a session lock to be implemented and configured.
However, the session lock is implemented by an external command. The tmux
default configuration does not contain an effective session lock. |
OVAL test results detailscheck lock-command is set to vlock in /etc/tmux.conf
oval:ssg-test_configure_tmux_lock_command:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/tmux.conf | set -g lock-command vlock |
Prevent user from disabling the screen lockxccdf_org.ssgproject.content_rule_no_tmux_in_shells mediumCCE-82361-7
Prevent user from disabling the screen lock
| Rule ID | xccdf_org.ssgproject.content_rule_no_tmux_in_shells |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-no_tmux_in_shells:def:1 |
| Time | 2021-08-12T02:37:18+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-82361-7 References:
FMT_SMF_EXT.1, SRG-OS-000324-GPOS-00125, RHEL-08-020042, SV-230350r599732_rule |
| Description | The tmux terminal multiplexer is used to implement
autimatic session locking. It should not be listed in
/etc/shells. |
| Rationale | Not listing tmux among permitted shells
prevents malicious program running as user
from lowering security by disabling the screen lock. |
OVAL test results detailscheck that tmux is not listed in /etc/shells
oval:ssg-test_no_tmux_in_shells:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_no_tmux_in_shells:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/shells | tmux$ | 1 |
Support session locking with tmuxxccdf_org.ssgproject.content_rule_configure_bashrc_exec_tmux mediumCCE-82266-8
Support session locking with tmux
| Rule ID | xccdf_org.ssgproject.content_rule_configure_bashrc_exec_tmux |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-configure_bashrc_exec_tmux:def:1 |
| Time | 2021-08-12T02:37:18+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-82266-8 References:
FMT_SMF_EXT.1, SRG-OS-000031-GPOS-00012, RHEL-08-020041, SV-230349r599732_rule |
| Description | The tmux terminal multiplexer is used to implement
automatic session locking. It should be started from
/etc/bashrc. |
| Rationale | Unlike bash itself, the tmux terminal multiplexer
provides a mechanism to lock sessions after period of inactivity. |
OVAL test results detailscheck tmux is configured to exec on the last line of /etc/bashrc
oval:ssg-test_configure_bashrc_exec_tmux:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/bashrc | # /etc/bashrc
# System wide functions and aliases
# Environment stuff goes in /etc/profile
# It's NOT a good idea to change this file unless you know what you
# are doing. It's much better to create a custom.sh shell script in
# /etc/profile.d/ to make custom changes to your environment, as this
# will prevent the need for merging in future updates.
# Prevent doublesourcing
if [ -z "$BASHRCSOURCED" ]; then
BASHRCSOURCED="Y"
# are we an interactive shell?
if [ "$PS1" ]; then
if [ -z "$PROMPT_COMMAND" ]; then
case $TERM in
xterm*|vte*)
if [ -e /etc/sysconfig/bash-prompt-xterm ]; then
PROMPT_COMMAND=/etc/sysconfig/bash-prompt-xterm
elif [ "${VTE_VERSION:-0}" -ge 3405 ]; then
PROMPT_COMMAND="__vte_prompt_command"
else
PROMPT_COMMAND='printf "\033]0;%s@%s:%s\007" "${USER}" "${HOSTNAME%%.*}" "${PWD/#$HOME/\~}"'
fi
;;
screen*)
if [ -e /etc/sysconfig/bash-prompt-screen ]; then
PROMPT_COMMAND=/etc/sysconfig/bash-prompt-screen
else
PROMPT_COMMAND='printf "\033k%s@%s:%s\033\\" "${USER}" "${HOSTNAME%%.*}" "${PWD/#$HOME/\~}"'
fi
;;
*)
[ -e /etc/sysconfig/bash-prompt-default ] && PROMPT_COMMAND=/etc/sysconfig/bash-prompt-default
;;
esac
fi
# Turn on parallel history
shopt -s histappend
history -a
# Turn on checkwinsize
shopt -s checkwinsize
[ "$PS1" = "\\s-\\v\\\$ " ] && PS1="[\u@\h \W]\\$ "
# You might want to have e.g. tty in prompt (e.g. more virtual machines)
# and console windows
# If you want to do so, just add e.g.
# if [ "$PS1" ]; then
# PS1="[\u@\h:\l \W]\\$ "
# fi
# to your custom modification shell script in /etc/profile.d/ directory
fi
if ! shopt -q login_shell ; then # We're not a login shell
# Need to redefine pathmunge, it gets undefined at the end of /etc/profile
pathmunge () {
case ":${PATH}:" in
*:"$1":*)
;;
*)
if [ "$2" = "after" ] ; then
PATH=$PATH:$1
else
PATH=$1:$PATH
fi
esac
}
# By default, we want umask 077
# Current threshold for system reserved uid/gids is 200
# You could check uidgid reservation validity in
# /usr/share/doc/setup-*/uidgid file
if [ $UID -gt 199 ] && [ "`/usr/bin/id -gn`" = "`/usr/bin/id -un`" ]; then
umask 077
else
umask 077
fi
SHELL=/bin/bash
# Only display echos from profile.d scripts if we are no login shell
# and interactive - otherwise just process them to set envvars
for i in /etc/profile.d/*.sh; do
if [ -r "$i" ]; then
if [ "$PS1" ]; then
. "$i"
else
. "$i" >/dev/null
fi
fi
done
unset i
unset -f pathmunge
fi
fi
# vim:ts=4:sw=4
[ -n "$PS1" -a -z "$TMUX" ] && exec tmux
if [ "$PS1" ]; then
parent=$(ps -o ppid= -p $$)
name=$(ps -o comm= -p $parent)
case "$name" in sshd|login) exec tmux ;; esac
fi
|
Configure tmux to lock session after inactivityxccdf_org.ssgproject.content_rule_configure_tmux_lock_after_time mediumCCE-82199-1
Configure tmux to lock session after inactivity
| Rule ID | xccdf_org.ssgproject.content_rule_configure_tmux_lock_after_time |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-configure_tmux_lock_after_time:def:1 |
| Time | 2021-08-12T02:37:18+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-82199-1 References:
FMT_SMF_EXT.1, SRG-OS-000029-GPOS-00010, RHEL-08-020070, SV-230353r599732_rule |
| Description | To enable console screen locking in tmux terminal multiplexer
after a period of inactivity,
the lock-after-time option has to be set to nonzero value in
/etc/tmux.conf. |
| Rationale | Locking the session after a period of inactivity limits the
potential exposure if the session is left unattended. |
OVAL test results detailscheck lock-after-time is set to 900 in /etc/tmux.conf
oval:ssg-test_configure_tmux_lock_after_time:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/tmux.conf | set -g lock-after-time 900
|
Disable debug-shell SystemD Servicexccdf_org.ssgproject.content_rule_service_debug-shell_disabled mediumCCE-80876-6
Disable debug-shell SystemD Service
| Rule ID | xccdf_org.ssgproject.content_rule_service_debug-shell_disabled |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-service_debug-shell_disabled:def:1 |
| Time | 2021-08-12T02:37:18+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-80876-6 References:
3.4.5, 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii), FIA_UAU.1, SRG-OS-000324-GPOS-00125, RHEL-08-040180, SV-230532r599815_rule |
| Description | SystemD's debug-shell service is intended to
diagnose SystemD related boot issues with various systemctl
commands. Once enabled and following a system reboot, the root shell
will be available on tty9 which is access by pressing
CTRL-ALT-F9. The debug-shell service should only be used
for SystemD related issues and should otherwise be disabled.
By default, the debug-shell SystemD service is already disabled.
The debug-shell service can be disabled with the following command:
$ sudo systemctl mask --now debug-shell.service |
| Rationale | This prevents attackers with physical access from trivially bypassing security
on the machine through valid troubleshooting configurations and gaining root
access when the system is rebooted. |
OVAL test results detailspackage systemd is removed
oval:ssg-test_service_debug-shell_package_systemd_removed:tst:1
false
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| systemd | x86_64 | (none) | 45.el8_4.3 | 239 | 0:239-45.el8_4.3 | 199e2f91fd431d51 | systemd-0:239-45.el8_4.3.x86_64 |
Test that the debug-shell service is not running
oval:ssg-test_service_not_running_debug-shell:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_service_not_running_debug-shell:obj:1 of type
systemdunitproperty_object
| Unit | Property |
|---|
| ^debug-shell\.(service|socket)$ | ActiveState |
Test that the property LoadState from the service debug-shell is masked
oval:ssg-test_service_loadstate_is_masked_debug-shell:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_service_loadstate_is_masked_debug-shell:obj:1 of type
systemdunitproperty_object
| Unit | Property |
|---|
| ^debug-shell\.(service|socket)$ | LoadState |
Test that the property FragmentPath from the service debug-shell is set to /dev/null
oval:ssg-test_service_fragmentpath_is_dev_null_debug-shell:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_service_fragmentpath_is_dev_null_debug-shell:obj:1 of type
systemdunitproperty_object
| Unit | Property |
|---|
| ^debug-shell\.(service|socket)$ | FragmentPath |
Disable Ctrl-Alt-Del Burst Actionxccdf_org.ssgproject.content_rule_disable_ctrlaltdel_burstaction highCCE-80784-2
Disable Ctrl-Alt-Del Burst Action
| Rule ID | xccdf_org.ssgproject.content_rule_disable_ctrlaltdel_burstaction |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-disable_ctrlaltdel_burstaction:def:1 |
| Time | 2021-08-12T02:37:18+00:00 |
| Severity | high |
| Identifiers and References | Identifiers:
CCE-80784-2 References:
12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 3.4.5, CCI-000366, 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii), 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), CM-6(a), PR.AC-4, PR.DS-5, SRG-OS-000324-GPOS-00125, RHEL-08-040172, SV-230531r599813_rule |
| Description | By default, SystemD will reboot the system if the Ctrl-Alt-Del
key sequence is pressed Ctrl-Alt-Delete more than 7 times in 2 seconds.
To configure the system to ignore the CtrlAltDelBurstAction
setting, add or modify the following to /etc/systemd/system.conf:
CtrlAltDelBurstAction=none |
| Rationale | A locally logged-in user who presses Ctrl-Alt-Del, when at the console,
can reboot the system. If accidentally pressed, as could happen in
the case of mixed OS environment, this can create the risk of short-term
loss of availability of systems due to unintentional reboot. |
| Warnings | warning
Disabling the Ctrl-Alt-Del key sequence
in /etc/init/control-alt-delete.conf DOES NOT disable the Ctrl-Alt-Del
key sequence if running in runlevel 6 (e.g. in GNOME, KDE, etc.)! The
Ctrl-Alt-Del key sequence will only be disabled if running in
the non-graphical runlevel 3. |
OVAL test results detailscheck if CtrlAltDelBurstAction is set to none
oval:ssg-test_disable_ctrlaltdel_burstaction:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/systemd/system.conf | CtrlAltDelBurstAction=none |
Disable Ctrl-Alt-Del Reboot Activationxccdf_org.ssgproject.content_rule_disable_ctrlaltdel_reboot highCCE-80785-9
Disable Ctrl-Alt-Del Reboot Activation
| Rule ID | xccdf_org.ssgproject.content_rule_disable_ctrlaltdel_reboot |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-disable_ctrlaltdel_reboot:def:1 |
| Time | 2021-08-12T02:37:18+00:00 |
| Severity | high |
| Identifiers and References | Identifiers:
CCE-80785-9 References:
12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 3.4.5, CCI-000366, 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii), 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, SRG-OS-000324-GPOS-00125, SRG-OS-000480-GPOS-00227, RHEL-08-040170, SV-230529r599811_rule |
| Description | By default, SystemD will reboot the system if the Ctrl-Alt-Del
key sequence is pressed.
To configure the system to ignore the Ctrl-Alt-Del key sequence from the
command line instead of rebooting the system, do either of the following:
ln -sf /dev/null /etc/systemd/system/ctrl-alt-del.target
or
systemctl mask ctrl-alt-del.target
Do not simply delete the /usr/lib/systemd/system/ctrl-alt-del.service file,
as this file may be restored during future system updates. |
| Rationale | A locally logged-in user who presses Ctrl-Alt-Del, when at the console,
can reboot the system. If accidentally pressed, as could happen in
the case of mixed OS environment, this can create the risk of short-term
loss of availability of systems due to unintentional reboot. |
OVAL test results detailsDisable Ctrl-Alt-Del key sequence override exists
oval:ssg-test_disable_ctrlaltdel_exists:tst:1
true
Following items have been found on the system:
| Filepath | Canonical path |
|---|
| /etc/systemd/system/ctrl-alt-del.target | /dev/null |
Require Authentication for Emergency Systemd Targetxccdf_org.ssgproject.content_rule_require_emergency_target_auth mediumCCE-82186-8
Require Authentication for Emergency Systemd Target
| Rule ID | xccdf_org.ssgproject.content_rule_require_emergency_target_auth |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-require_emergency_target_auth:def:1 |
| Time | 2021-08-12T02:37:18+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-82186-8 References:
1.5.3, 1, 11, 12, 14, 15, 16, 18, 3, 5, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.06, DSS06.10, 3.1.1, 3.4.5, CCI-000213, 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii), 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561, A.18.1.4, A.6.1.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, IA-2, AC-3, CM-6(a), PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, PR.PT-3, FIA_UAU.1, SRG-OS-000080-GPOS-00048 |
| Description | Emergency mode is intended as a system recovery
method, providing a single user root access to the system
during a failed boot sequence.
By default, Emergency mode is protected by requiring a password and is set
in /usr/lib/systemd/system/emergency.service. |
| Rationale | This prevents attackers with physical access from trivially bypassing security
on the machine and gaining root access. Such accesses are further prevented
by configuring the bootloader password. |
OVAL test results detailsTests that /usr/lib/systemd/systemd-sulogin-shell was not removed from the default systemd emergency.service to ensure that a password must be entered to access single user mode
oval:ssg-test_require_emergency_service:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /usr/lib/systemd/system/emergency.service | ExecStart=-/usr/lib/systemd/systemd-sulogin-shell emergency |
Tests that the systemd emergency.service is in the emergency.target
oval:ssg-test_require_emergency_service_emergency_target:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /usr/lib/systemd/system/emergency.target | Requires=emergency.service |
look for emergency.target in /etc/systemd/system
oval:ssg-test_no_custom_emergency_target:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_no_custom_emergency_target:obj:1 of type
file_object
| Behaviors | Path | Filename |
|---|
| no value | /etc/systemd/system | ^emergency.target$ |
look for emergency.service in /etc/systemd/system
oval:ssg-test_no_custom_emergency_service:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_no_custom_emergency_service:obj:1 of type
file_object
| Behaviors | Path | Filename |
|---|
| no value | /etc/systemd/system | ^emergency.service$ |
Require Authentication for Single User Modexccdf_org.ssgproject.content_rule_require_singleuser_auth mediumCCE-80855-0
Require Authentication for Single User Mode
| Rule ID | xccdf_org.ssgproject.content_rule_require_singleuser_auth |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-require_singleuser_auth:def:1 |
| Time | 2021-08-12T02:37:18+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-80855-0 References:
1.5.3, 1, 11, 12, 14, 15, 16, 18, 3, 5, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.06, DSS06.10, 3.1.1, 3.4.5, CCI-000213, 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii), 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561, A.18.1.4, A.6.1.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, IA-2, AC-3, CM-6(a), PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, PR.PT-3, FIA_UAU.1, SRG-OS-000080-GPOS-00048, RHEL-08-010151, SV-230236r599732_rule |
| Description | Single-user mode is intended as a system recovery
method, providing a single user root access to the system by
providing a boot option at startup. By default, no authentication
is performed if single-user mode is selected.
By default, single-user mode is protected by requiring a password and is set
in /usr/lib/systemd/system/rescue.service. |
| Rationale | This prevents attackers with physical access from trivially bypassing security
on the machine and gaining root access. Such accesses are further prevented
by configuring the bootloader password. |
OVAL test results detailsTests that /usr/lib/systemd/systemd-sulogin-shell was not removed from the default systemd rescue.service to ensure that a password must be entered to access single user mode
oval:ssg-test_require_rescue_service:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /usr/lib/systemd/system/rescue.service | ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue |
Tests that the systemd rescue.service is in the runlevel1.target
oval:ssg-test_require_rescue_service_runlevel1:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /usr/lib/systemd/system/runlevel1.target | Requires=sysinit.target rescue.service |
look for runlevel1.target in /etc/systemd/system
oval:ssg-test_no_custom_runlevel1_target:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_no_custom_runlevel1_target:obj:1 of type
file_object
| Behaviors | Path | Filename |
|---|
| no value | /etc/systemd/system | ^runlevel1.target$ |
look for rescue.service in /etc/systemd/system
oval:ssg-test_no_custom_rescue_service:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_no_custom_rescue_service:obj:1 of type
file_object
| Behaviors | Path | Filename |
|---|
| no value | /etc/systemd/system | ^rescue.service$ |
Prevent Login to Accounts With Empty Passwordxccdf_org.ssgproject.content_rule_no_empty_passwords highCCE-80841-0
Prevent Login to Accounts With Empty Password
| Rule ID | xccdf_org.ssgproject.content_rule_no_empty_passwords |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-no_empty_passwords:def:1 |
| Time | 2021-08-12T02:37:18+00:00 |
| Severity | high |
| Identifiers and References | Identifiers:
CCE-80841-0 References:
1, 12, 13, 14, 15, 16, 18, 3, 5, 5.5.2, APO01.06, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.02, DSS06.03, DSS06.10, 3.1.1, 3.1.5, CCI-000366, 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii), 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.18.1.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, IA-5(1)(a), IA-5(c), CM-6(a), PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, PR.DS-5, FIA_UAU.1, Req-8.2.3, SRG-OS-000480-GPOS-00227, sshd_disable_empty_passwords |
| Description | If an account is configured for password authentication
but does not have an assigned password, it may be possible to log
into the account without authentication. Remove any instances of the
nullok in
/etc/pam.d/system-auth
to prevent logins with empty passwords. |
| Rationale | If an account has an empty password, anyone could log in and
run commands with the privileges of that account. Accounts with
empty passwords should never be used in operational environments. |
OVAL test results detailsmake sure nullok is not used in /etc/pam.d/system-auth
oval:ssg-test_no_empty_passwords:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_no_empty_passwords:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/pam.d/system-auth | ^[^#]*\bnullok\b.*$ | 1 |
Set Password Minimum Agexccdf_org.ssgproject.content_rule_accounts_minimum_age_login_defs mediumCCE-80648-9
Set Password Minimum Age
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_minimum_age_login_defs |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-accounts_minimum_age_login_defs:def:1 |
| Time | 2021-08-12T02:37:18+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-80648-9 References:
5.5.1.2, 1, 12, 15, 16, 5, 5.6.2.1.1, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, 3.5.8, CCI-000198, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, 0418, 1055, 1402, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-5(f), IA-5(1)(d), CM-6(a), PR.AC-1, PR.AC-6, PR.AC-7, SRG-OS-000075-GPOS-00043, RHEL-08-020190, SV-230365r599732_rule |
| Description | To specify password minimum age for new accounts,
edit the file /etc/login.defs
and add or correct the following line:
PASS_MIN_DAYS 1
A value of 1 day is considered sufficient for many
environments. The DoD requirement is 1.
The profile requirement is 1. |
| Rationale | Enforcing a minimum password lifetime helps to prevent repeated password
changes to defeat the password reuse or history enforcement requirement. If
users are allowed to immediately and continually change their password,
then the password could be repeatedly changed in a short period of time to
defeat the organization's policy regarding password reuse.
Setting the minimum password age protects against users cycling back to a
favorite password after satisfying the password reuse requirement. |
OVAL test results detailsThe value of PASS_MIN_DAYS should be set appropriately in /etc/login.defs
oval:ssg-test_pass_min_days:tst:1
true
Following items have been found on the system:
| Var ref | Value |
|---|
| oval:ssg-variable_last_pass_min_days_instance_value:var:1 | 1 |
Set Password Minimum Length in login.defsxccdf_org.ssgproject.content_rule_accounts_password_minlen_login_defs mediumCCE-80652-1
Set Password Minimum Length in login.defs
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_password_minlen_login_defs |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-accounts_password_minlen_login_defs:def:1 |
| Time | 2021-08-12T02:37:18+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-80652-1 References:
1, 12, 15, 16, 5, 5.6.2.1, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, 3.5.7, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-5(f), IA-5(1)(a), CM-6(a), PR.AC-1, PR.AC-6, PR.AC-7, FMT_MOF_EXT.1, SRG-OS-000078-GPOS-00046, RHEL-08-020231, SV-230370r599732_rule |
| Description | To specify password length requirements for new accounts, edit the file
/etc/login.defs and add or correct the following line:
PASS_MIN_LEN 15
The DoD requirement is 15.
The FISMA requirement is 12.
The profile requirement is
15.
If a program consults /etc/login.defs and also another PAM module
(such as pam_pwquality) during a password change operation, then
the most restrictive must be satisfied. See PAM section for more
information about enforcing password quality requirements. |
| Rationale | Requiring a minimum password length makes password
cracking attacks more difficult by ensuring a larger
search space. However, any security benefit from an onerous requirement
must be carefully weighed against usability problems, support costs, or counterproductive
behavior that may result. |
OVAL test results detailsThe value of PASS_MIN_LEN should be set appropriately in /etc/login.defs
oval:ssg-test_pass_min_len:tst:1
true
Following items have been found on the system:
| Var ref | Value |
|---|
| oval:ssg-variable_last_pass_min_len_instance_value:var:1 | 15 |
Set Password Maximum Agexccdf_org.ssgproject.content_rule_accounts_maximum_age_login_defs mediumCCE-80647-1
Set Password Maximum Age
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_maximum_age_login_defs |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-accounts_maximum_age_login_defs:def:1 |
| Time | 2021-08-12T02:37:18+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-80647-1 References:
5.5.1.1, 1, 12, 15, 16, 5, 5.6.2.1, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, 3.5.6, CCI-000199, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, 0418, 1055, 1402, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-5(f), IA-5(1)(d), CM-6(a), PR.AC-1, PR.AC-6, PR.AC-7, Req-8.2.4, SRG-OS-000076-GPOS-00044, RHEL-08-020200, SV-230366r599732_rule |
| Description | To specify password maximum age for new accounts,
edit the file /etc/login.defs
and add or correct the following line:
PASS_MAX_DAYS 60
A value of 180 days is sufficient for many environments.
The DoD requirement is 60.
The profile requirement is 60. |
| Rationale | Any password, no matter how complex, can eventually be cracked. Therefore, passwords
need to be changed periodically. If the operating system does not limit the lifetime
of passwords and force users to change their passwords, there is the risk that the
operating system passwords could be compromised.
Setting the password maximum age ensures users are required to
periodically change their passwords. Requiring shorter password lifetimes
increases the risk of users writing down the password in a convenient
location subject to physical compromise. |
OVAL test results detailsThe value of PASS_MAX_DAYS should be set appropriately in /etc/login.defs
oval:ssg-test_pass_max_days:tst:1
true
Following items have been found on the system:
| Var ref | Value |
|---|
| oval:ssg-variable_last_pass_max_days_instance_value:var:1 | 60 |
Set Existing Passwords Minimum Agexccdf_org.ssgproject.content_rule_accounts_password_set_min_life_existing mediumCCE-82472-2
Set Existing Passwords Minimum Age
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_password_set_min_life_existing |
| Result | |
| Multi-check rule | no |
| Time | 2021-08-12T02:37:18+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-82472-2 References:
CCI-000198, IA-5(f), IA-5(1)(d), CM-6(a), SRG-OS-000075-GPOS-00043, RHEL-08-020180, SV-230364r599732_rule, SRG-OS-000075-VMM000420 |
| Description | Configure non-compliant accounts to enforce a 24 hours/1 day minimum password
lifetime by running the following command:
$ sudo chage -m 1 USER |
| Rationale | Enforcing a minimum password lifetime helps to prevent repeated password
changes to defeat the password reuse or history enforcement requirement. If
users are allowed to immediately and continually change their password, the
password could be repeatedly changed in a short period of time to defeat the
organization's policy regarding password reuse. |
Evaluation messagesinfo
No candidate or applicable check found. |
Set Existing Passwords Maximum Agexccdf_org.ssgproject.content_rule_accounts_password_set_max_life_existing mediumCCE-82473-0
Set Existing Passwords Maximum Age
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_password_set_max_life_existing |
| Result | |
| Multi-check rule | no |
| Time | 2021-08-12T02:37:18+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-82473-0 References:
CCI-000199, IA-5(f), IA-5(1)(d), CM-6(a), SRG-OS-000076-GPOS-00044, RHEL-08-020210, SV-230367r599732_rule, SRG-OS-000076-VMM-000430 |
| Description | Configure non-compliant accounts to enforce a 60-day maximum password lifetime
restriction by running the following command:
$ sudo chage -M 60 USER |
| Rationale | Any password, no matter how complex, can eventually be cracked. Therefore,
passwords need to be changed periodically. If the operating system does
not limit the lifetime of passwords and force users to change their
passwords, there is the risk that the operating system passwords could be
compromised. |
Evaluation messagesinfo
No candidate or applicable check found. |
Verify Only Root Has UID 0xccdf_org.ssgproject.content_rule_accounts_no_uid_except_zero highCCE-80649-7
Verify Only Root Has UID 0
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_no_uid_except_zero |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-accounts_no_uid_except_zero:def:1 |
| Time | 2021-08-12T02:37:18+00:00 |
| Severity | high |
| Identifiers and References | Identifiers:
CCE-80649-7 References:
6.2.6, 1, 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.02, DSS06.03, DSS06.10, 3.1.1, 3.1.5, CCI-000366, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.18.1.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, IA-2, AC-6(5), IA-4(b), PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, PR.DS-5, SRG-OS-000480-GPOS-00227, RHEL-08-040200, SV-230534r599732_rule |
| Description | If any account other than root has a UID of 0, this misconfiguration should
be investigated and the accounts other than root should be removed or have
their UID changed.
If the account is associated with system commands or applications the UID
should be changed to one greater than "0" but less than "1000."
Otherwise assign a UID greater than "1000" that has not already been
assigned. |
| Rationale | An account has root authority if it has a UID of 0. Multiple accounts
with a UID of 0 afford more opportunity for potential intruders to
guess a password for a privileged account. Proper configuration of
sudo is recommended to afford multiple system administrators
access to root privileges in an accountable manner. |
OVAL test results detailstest that there are no accounts with UID 0 except root in the /etc/passwd file
oval:ssg-test_accounts_no_uid_except_root:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_no_uid_except_root:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/passwd | ^(?!root:)[^:]*:[^:]*:0 | 1 |
Assign Expiration Date to Temporary Accountsxccdf_org.ssgproject.content_rule_account_temp_expire_date mediumCCE-82474-8
Assign Expiration Date to Temporary Accounts
| Rule ID | xccdf_org.ssgproject.content_rule_account_temp_expire_date |
| Result | |
| Multi-check rule | no |
| Time | 2021-08-12T02:37:18+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-82474-8 References:
1, 12, 13, 14, 15, 16, 18, 3, 5, 7, 8, DSS01.03, DSS03.05, DSS05.04, DSS05.05, DSS05.07, DSS06.03, CCI-000016, CCI-001682, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, SR 1.1, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 6.2, A.12.4.1, A.12.4.3, A.6.1.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, AC-2(2), AC-2(3), CM-6(a), DE.CM-1, DE.CM-3, PR.AC-1, PR.AC-4, PR.AC-6, SRG-OS-000123-GPOS-00064, SRG-OS-000002-GPOS-00002, RHEL-08-020000, SV-230331r599824_rule, SRG-OS-000002-VMM-000020, SRG-OS-000123-VMM-000620 |
| Description | Temporary accounts are established as part of normal account activation
procedures when there is a need for short-term accounts. In the event
temporary or emergency accounts are required, configure the system to
terminate them after a documented time period. For every temporary and
emergency account, run the following command to set an expiration date on
it, substituting USER and YYYY-MM-DD
appropriately:
$ sudo chage -E YYYY-MM-DD USER
YYYY-MM-DD indicates the documented expiration date for the
account. For U.S. Government systems, the operating system must be
configured to automatically terminate these types of accounts after a
period of 72 hours. |
| Rationale | If temporary user accounts remain active when no longer needed or for
an excessive period, these accounts may be used to gain unauthorized access.
To mitigate this risk, automated termination of all temporary accounts
must be set upon account creation.
|
Evaluation messagesinfo
No candidate or applicable check found. |
Set Account Expiration Following Inactivityxccdf_org.ssgproject.content_rule_account_disable_post_pw_expiration mediumCCE-80954-1
Set Account Expiration Following Inactivity
| Rule ID | xccdf_org.ssgproject.content_rule_account_disable_post_pw_expiration |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-account_disable_post_pw_expiration:def:1 |
| Time | 2021-08-12T02:37:18+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-80954-1 References:
1, 12, 13, 14, 15, 16, 18, 3, 5, 7, 8, 5.6.2.1.1, DSS01.03, DSS03.05, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, 3.5.6, CCI-000017, CCI-000795, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 6.2, A.12.4.1, A.12.4.3, A.18.1.4, A.6.1.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, IA-4(e), AC-2(3), CM-6(a), DE.CM-1, DE.CM-3, PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, Req-8.1.4, SRG-OS-000118-GPOS-00060, RHEL-08-020260, SV-230373r599732_rule, SRG-OS-000003-VMM-000030, SRG-OS-000118-VMM-000590 |
| Description | To specify the number of days after a password expires (which
signifies inactivity) until an account is permanently disabled, add or correct
the following line in /etc/default/useradd:
INACTIVE=35
If a password is currently on the verge of expiration, then
35
day(s) remain(s) until the account is automatically
disabled. However, if the password will not expire for another 60 days, then 60
days plus 35 day(s) could
elapse until the account would be automatically disabled. See the
useradd man page for more information. |
| Rationale | Disabling inactive accounts ensures that accounts which may not
have been responsibly removed are not available to attackers
who may have compromised their credentials. |
OVAL test results detailsthe value INACTIVE parameter should be set appropriately in /etc/default/useradd
oval:ssg-test_etc_default_useradd_inactive:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/default/useradd | INACTIVE=35 |
Ensure the Default Umask is Set Correctly For Interactive Usersxccdf_org.ssgproject.content_rule_accounts_umask_interactive_users mediumCCE-84044-7
Ensure the Default Umask is Set Correctly For Interactive Users
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_umask_interactive_users |
| Result | |
| Multi-check rule | no |
| Time | 2021-08-12T02:37:18+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-84044-7 References:
CCI-000366, CCI-001814, SRG-OS-000480-GPOS-00227, RHEL-08-020352, SV-230384r599732_rule |
| Description | Remove the UMASK environment variable from all interactive users initialization files. |
| Rationale | The umask controls the default access mode assigned to newly created files. A
umask of 077 limits new files to mode 700 or less permissive. Although umask can
be represented as a four-digit number, the first digit representing special
access modes is typically ignored or required to be 0. This requirement
applies to the globally configured system defaults and the local interactive
user defaults for each account on the system. |
Evaluation messagesinfo
No candidate or applicable check found. |
Ensure the Default Bash Umask is Set Correctlyxccdf_org.ssgproject.content_rule_accounts_umask_etc_bashrc mediumCCE-81036-6
Ensure the Default Bash Umask is Set Correctly
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_umask_etc_bashrc |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-accounts_umask_etc_bashrc:def:1 |
| Time | 2021-08-12T02:37:18+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-81036-6 References:
5.4.4, 18, APO13.01, BAI03.01, BAI03.02, BAI03.03, CCI-000366, 4.3.4.3.3, A.14.1.1, A.14.2.1, A.14.2.5, A.6.1.5, AC-6(1), CM-6(a), PR.IP-2, SRG-OS-000480-GPOS-00228, RHEL-08-020353, SV-230385r599732_rule |
| Description | To ensure the default umask for users of the Bash shell is set properly,
add or correct the umask setting in /etc/bashrc to read
as follows:
umask 077 |
| Rationale | The umask value influences the permissions assigned to files when they are created.
A misconfigured umask value could result in files with excessive permissions that can be read or
written to by unauthorized users. |
OVAL test results detailsVerify the existence of var_accounts_user_umask_as_number variable
oval:ssg-test_existence_of_var_accounts_user_umask_as_number_variable:tst:1
true
Following items have been found on the system:
| Var ref | Value |
|---|
| oval:ssg-var_accounts_user_umask_umask_as_number:var:1 | 63 |
Test the retrieved /etc/bashrc umask value(s) match the var_accounts_user_umask requirement
oval:ssg-tst_accounts_umask_etc_bashrc:tst:1
true
Following items have been found on the system:
| Var ref | Value | Value | Value | Value | Value | Value | Value | Value |
|---|
| oval:ssg-var_etc_bashrc_umask_as_number:var:1 | 63 | 63 | 63 | 63 | 63 | 63 | 63 | 63 |
Ensure the Default Umask is Set Correctly in login.defsxccdf_org.ssgproject.content_rule_accounts_umask_etc_login_defs mediumCCE-82888-9
Ensure the Default Umask is Set Correctly in login.defs
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_umask_etc_login_defs |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-accounts_umask_etc_login_defs:def:1 |
| Time | 2021-08-12T02:37:18+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-82888-9 References:
BP28(R35), 11, 18, 3, 9, APO13.01, BAI03.01, BAI03.02, BAI03.03, BAI10.01, BAI10.02, BAI10.03, BAI10.05, CCI-000366, 4.3.4.3.2, 4.3.4.3.3, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.1.1, A.14.2.1, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.5, A.6.1.5, AC-6(1), CM-6(a), PR.IP-1, PR.IP-2, SRG-OS-000480-GPOS-00228, RHEL-08-020351, SV-230383r599732_rule |
| Description | To ensure the default umask controlled by /etc/login.defs is set properly,
add or correct the UMASK setting in /etc/login.defs to read as follows:
UMASK 077 |
| Rationale | The umask value influences the permissions assigned to files when they are created.
A misconfigured umask value could result in files with excessive permissions that can be read and
written to by unauthorized users. |
OVAL test results detailsVerify the existence of var_accounts_user_umask_as_number variable
oval:ssg-test_existence_of_var_accounts_user_umask_as_number_variable:tst:1
true
Following items have been found on the system:
| Var ref | Value |
|---|
| oval:ssg-var_accounts_user_umask_umask_as_number:var:1 | 63 |
Test the retrieved /etc/login.defs umask value(s) match the var_accounts_user_umask requirement
oval:ssg-tst_accounts_umask_etc_login_defs:tst:1
true
Following items have been found on the system:
| Var ref | Value |
|---|
| oval:ssg-var_etc_login_defs_umask_as_number:var:1 | 63 |
Ensure that Users Path Contains Only Local Directoriesxccdf_org.ssgproject.content_rule_accounts_user_home_paths_only mediumCCE-84040-5
Ensure that Users Path Contains Only Local Directories
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_user_home_paths_only |
| Result | |
| Multi-check rule | no |
| Time | 2021-08-12T02:37:18+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-84040-5 References:
CCI-000366, SRG-OS-000480-GPOS-00227, RHEL-08-010690, SV-230317r599732_rule |
| Description | Ensure that all interactive user initialization files executable search
path statements do not contain statements that will reference a working
directory other than the users home directory. |
| Rationale | The executable search path (typically the PATH environment variable) contains a
list of directories for the shell to search to find executables. If this path
includes the current working directory (other than the users home directory),
executables in these directories may be executed instead of system commands.
This variable is formatted as a colon-separated list of directories. If there is
an empty entry, such as a leading or trailing colon or two consecutive colons,
this is interpreted as the current working directory. If deviations from the
default system search path for the local interactive user are required, they
must be documented with the Information System Security Officer (ISSO). |
Evaluation messagesinfo
No candidate or applicable check found. |
All Interactive User Home Directories Must Have mode 0750 Or Less Permissivexccdf_org.ssgproject.content_rule_file_permissions_home_directories mediumCCE-84038-9
All Interactive User Home Directories Must Have mode 0750 Or Less Permissive
| Rule ID | xccdf_org.ssgproject.content_rule_file_permissions_home_directories |
| Result | |
| Multi-check rule | no |
| Time | 2021-08-12T02:37:18+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-84038-9 References:
CCI-000366, SRG-OS-000480-GPOS-00227, RHEL-08-010730, SV-230321r599732_rule |
| Description | Change the mode of interactive users home directories to 0750. To
change the mode of interactive users home directory, use the
following command:
$ sudo chmod 0750 /home/USER |
| Rationale | Excessive permissions on local interactive user home directories may allow
unauthorized access to user files by other users. |
Evaluation messagesinfo
No candidate or applicable check found. |
All Interactive Users Must Have A Home Directory Definedxccdf_org.ssgproject.content_rule_accounts_user_interactive_home_directory_defined mediumCCE-84036-3
All Interactive Users Must Have A Home Directory Defined
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_user_interactive_home_directory_defined |
| Result | |
| Multi-check rule | no |
| Time | 2021-08-12T02:37:18+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-84036-3 References:
CCI-000366, SRG-OS-000480-GPOS-00227, RHEL-08-010720, SV-230320r599732_rule |
| Description | Assign home directories to all interactive users that currently do not
have a home directory assigned. |
| Rationale | If local interactive users are not assigned a valid home directory, there is no
place for the storage and control of files they should own. |
Evaluation messagesinfo
No candidate or applicable check found. |
Ensure Home Directories are Created for New Usersxccdf_org.ssgproject.content_rule_accounts_have_homedir_login_defs mediumCCE-83789-8
Ensure Home Directories are Created for New Users
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_have_homedir_login_defs |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-accounts_have_homedir_login_defs:def:1 |
| Time | 2021-08-12T02:37:18+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-83789-8 References:
CCI-000366, SRG-OS-000480-GPOS-00227, RHEL-08-010760, SV-230324r599732_rule |
| Description | All local interactive user accounts, upon creation, should be assigned a home directory.
Configure the operating system to assign home directories to all new local interactive users by setting the CREATE_HOME
parameter in /etc/login.defs to yes as follows:
CREATE_HOME yes |
| Rationale | If local interactive users are not assigned a valid home directory, there is no place
for the storage and control of files they should own. |
OVAL test results detailsCheck value of CREATE_HOME in /etc/login.defs
oval:ssg-test_accounts_have_homedir_login_defs:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/login.defs | CREATE_HOME yes
# This enables userdel to remove user groups if no members exist. |
Ensure All User Initialization Files Have Mode 0740 Or Less Permissivexccdf_org.ssgproject.content_rule_file_permission_user_init_files mediumCCE-84043-9
Ensure All User Initialization Files Have Mode 0740 Or Less Permissive
| Rule ID | xccdf_org.ssgproject.content_rule_file_permission_user_init_files |
| Result | |
| Multi-check rule | no |
| Time | 2021-08-12T02:37:18+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-84043-9 References:
CCI-000366, SRG-OS-000480-GPOS-00227, RHEL-08-010770, SV-230325r599732_rule |
| Description | Set the mode of the user initialization files to 0740 with the
following command:
$ sudo chmod 0740 /home/USER/.INIT_FILE |
| Rationale | Local initialization files are used to configure the user's shell environment
upon logon. Malicious modification of these files could compromise accounts upon
logon. |
Evaluation messagesinfo
No candidate or applicable check found. |
All Interactive User Home Directories Must Be Group-Owned By The Primary Userxccdf_org.ssgproject.content_rule_file_groupownership_home_directories mediumCCE-83434-1
All Interactive User Home Directories Must Be Group-Owned By The Primary User
| Rule ID | xccdf_org.ssgproject.content_rule_file_groupownership_home_directories |
| Result | |
| Multi-check rule | no |
| Time | 2021-08-12T02:37:18+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-83434-1 References:
6.2.8, CCI-000366, SRG-OS-000480-GPOS-00227, RHEL-08-010740, SV-230322r599732_rule |
| Description | Change the group owner of interactive users home directory to the
group found in /etc/passwd. To change the group owner of
interactive users home directory, use the following command:
$ sudo chgrp USER_GROUP /home/USER |
| Rationale | If the Group Identifier (GID) of a local interactive users home directory is
not the same as the primary GID of the user, this would allow unauthorized
access to the users files, and users that share the same group may not be
able to access files that they legitimately should. |
Evaluation messagesinfo
No candidate or applicable check found. |
Limit the Number of Concurrent Login Sessions Allowed Per Userxccdf_org.ssgproject.content_rule_accounts_max_concurrent_login_sessions lowCCE-80955-8
Limit the Number of Concurrent Login Sessions Allowed Per User
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_max_concurrent_login_sessions |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-accounts_max_concurrent_login_sessions:def:1 |
| Time | 2021-08-12T02:37:18+00:00 |
| Severity | low |
| Identifiers and References | Identifiers:
CCE-80955-8 References:
14, 15, 18, 9, 5.5.2.2, DSS01.05, DSS05.02, CCI-000054, 4.3.3.4, SR 3.1, SR 3.8, A.13.1.1, A.13.1.3, A.13.2.1, A.14.1.2, A.14.1.3, AC-10, CM-6(a), PR.AC-5, SRG-OS-000027-GPOS-00008, RHEL-08-020024, SV-230346r599786_rule, SRG-OS-000027-VMM-000080 |
| Description | Limiting the number of allowed users and sessions per user can limit risks related to Denial of
Service attacks. This addresses concurrent sessions for a single account and does not address
concurrent sessions by a single user via multiple accounts. To set the number of concurrent
sessions per user add the following line in /etc/security/limits.conf or
a file under /etc/security/limits.d/:
* hard maxlogins 10 |
| Rationale | Limiting simultaneous user logins can insulate the system from denial of service
problems caused by excessive logins. Automated login processes operating improperly or
maliciously may result in an exceptional number of simultaneous login sessions. |
OVAL test results detailsthe value maxlogins should be set appropriately in /etc/security/limits.d/*.conf
oval:ssg-test_limitsd_maxlogins:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_etc_security_limitsd_conf_maxlogins:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /etc/security/limits.d | ^.*\.conf$ | ^[\s]*\*[\s]+(?:(?:hard)|(?:-))[\s]+maxlogins[\s]+(\d+)\s*$ | 1 |
the value maxlogins should be set appropriately in /etc/security/limits.d/*.conf
oval:ssg-test_limitsd_maxlogins_exists:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_etc_security_limitsd_conf_maxlogins_exists:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /etc/security/limits.d | ^.*\.conf$ | ^[\s]*\*[\s]+(?:(?:hard)|(?:-))[\s]+maxlogins | 1 |
the value maxlogins should be set appropriately in /etc/security/limits.conf
oval:ssg-test_maxlogins:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/security/limits.conf | * hard maxlogins 10
|
Ensure the Logon Failure Delay is Set Correctly in login.defsxccdf_org.ssgproject.content_rule_accounts_logon_fail_delay mediumCCE-84037-1
Ensure the Logon Failure Delay is Set Correctly in login.defs
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_logon_fail_delay |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-accounts_logon_fail_delay:def:1 |
| Time | 2021-08-12T02:37:18+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-84037-1 References:
11, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, CCI-000366, 4.3.4.3.2, 4.3.4.3.3, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, AC-7(b), CM-6(a), PR.IP-1, SRG-OS-000480-GPOS-00226, RHEL-08-020310, SV-230378r599732_rule |
| Description | To ensure the logon failure delay controlled by /etc/login.defs is set properly,
add or correct the FAIL_DELAY setting in /etc/login.defs to read as follows:
FAIL_DELAY 4 |
| Rationale | Increasing the time between a failed authentication attempt and re-prompting to
enter credentials helps to slow a single-threaded brute force attack. |
OVAL test results detailscheck FAIL_DELAY in /etc/login.defs
oval:ssg-test_accounts_logon_fail_delay:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/login.defs |
FAIL_DELAY 4 |
All Interactive Users Home Directories Must Existxccdf_org.ssgproject.content_rule_accounts_user_interactive_home_directory_exists mediumCCE-83424-2
All Interactive Users Home Directories Must Exist
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_user_interactive_home_directory_exists |
| Result | |
| Multi-check rule | no |
| Time | 2021-08-12T02:37:18+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-83424-2 References:
6.2.20, CCI-000366, SRG-OS-000480-GPOS-00227, RHEL-08-010750, SV-230323r599732_rule |
| Description | Create home directories to all interactive users that currently do not
have a home directory assigned. Use the following commands to create the user
home directory assigned in /etc/passwd:
$ sudo mkdir /home/USER |
| Rationale | If a local interactive user has a home directory defined that does not exist,
the user may be given access to the / directory as the current working directory
upon logon. This could create a Denial of Service because the user would not be
able to access their logon configuration files, and it may give them visibility
to system files they normally would not be able to access. |
Evaluation messagesinfo
No candidate or applicable check found. |
User Initialization Files Must Not Run World-Writable Programsxccdf_org.ssgproject.content_rule_accounts_user_dot_no_world_writable_programs mediumCCE-84039-7
User Initialization Files Must Not Run World-Writable Programs
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_user_dot_no_world_writable_programs |
| Result | |
| Multi-check rule | no |
| Time | 2021-08-12T02:37:18+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-84039-7 References:
CCI-000366, SRG-OS-000480-GPOS-00227, RHEL-08-010660, SV-230309r599732_rule |
| Description | Set the mode on files being executed by the user initialization files with the
following command:
$ sudo chmod 0755 FILE |
| Rationale | If user start-up files execute world-writable programs, especially in
unprotected directories, they could be maliciously modified to destroy user
files or otherwise compromise the system at the user level. If the system is
compromised at the user level, it is easier to elevate privileges to eventually
compromise the system at the root and network level. |
Evaluation messagesinfo
No candidate or applicable check found. |
Set hostname as computer node name in audit logsxccdf_org.ssgproject.content_rule_auditd_name_format mediumCCE-82897-0
Set hostname as computer node name in audit logs
| Rule ID | xccdf_org.ssgproject.content_rule_auditd_name_format |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-auditd_name_format:def:1 |
| Time | 2021-08-12T02:37:18+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-82897-0 References:
CCI-001851, FAU_GEN.1, SRG-OS-000039-GPOS-00017, SRG-OS-000342-GPOS-00133, SRG-OS-000479-GPOS-00224, RHEL-08-030062, SV-230394r599732_rule |
| Description | To configure Audit daemon to use value returned by gethostname
syscall as computer node name in the audit events,
set name_format to hostname
in /etc/audit/auditd.conf. |
| Rationale | If option name_format is left at its default value of
none, audit events from different computers may be hard
to distinguish. |
OVAL test results detailstests the value of name_format setting in the /etc/audit/auditd.conf file
oval:ssg-test_auditd_name_format:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/audit/auditd.conf | name_format = hostname |
Configure auditd space_left Action on Low Disk Spacexccdf_org.ssgproject.content_rule_auditd_data_retention_space_left_action mediumCCE-80684-4
Configure auditd space_left Action on Low Disk Space
| Rule ID | xccdf_org.ssgproject.content_rule_auditd_data_retention_space_left_action |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-auditd_data_retention_space_left_action:def:1 |
| Time | 2021-08-12T02:37:18+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-80684-4 References:
4.1.2.3, 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 5.4.1.1, APO11.04, APO12.06, APO13.01, BAI03.05, BAI04.04, BAI08.02, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.04, DSS05.07, MEA02.01, 3.3.1, CCI-001855, 164.312(a)(2)(ii), 4.2.3.10, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 7.1, SR 7.2, A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.16.1.4, A.16.1.5, A.16.1.7, A.17.2.1, AU-5(b), AU-5(2), AU-5(1), AU-5(4), CM-6(a), DE.AE-3, DE.AE-5, PR.DS-4, PR.PT-1, RS.AN-1, RS.AN-4, Req-10.7, SRG-OS-000343-GPOS-00134, SRG-OS-000343-VMM-001240 |
| Description | The auditd service can be configured to take an action
when disk space starts to run low.
Edit the file /etc/audit/auditd.conf. Modify the following line,
substituting ACTION appropriately:
space_left_action = ACTION
Possible values for ACTION are described in the auditd.conf man page.
These include:
syslogemailexecsuspendsinglehalt
Set this to email (instead of the default,
which is suspend) as it is more likely to get prompt attention. Acceptable values
also include suspend, single, and halt. |
| Rationale | Notifying administrators of an impending disk space problem may
allow them to take corrective action prior to any disruption. |
OVAL test results detailsspace left action
oval:ssg-test_auditd_data_retention_space_left_action:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/audit/auditd.conf | space_left_action = email |
Configure auditd max_log_file_action Upon Reaching Maximum Log Sizexccdf_org.ssgproject.content_rule_auditd_data_retention_max_log_file_action mediumCCE-80682-8
Configure auditd max_log_file_action Upon Reaching Maximum Log Size
| Rule ID | xccdf_org.ssgproject.content_rule_auditd_data_retention_max_log_file_action |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-auditd_data_retention_max_log_file_action:def:1 |
| Time | 2021-08-12T02:37:18+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-80682-8 References:
4.1.2.2, 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 5.4.1.1, APO11.04, APO12.06, APO13.01, BAI03.05, BAI04.04, BAI08.02, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.04, DSS05.07, MEA02.01, 164.312(a)(2)(ii), 4.2.3.10, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 7.1, SR 7.2, A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.16.1.4, A.16.1.5, A.16.1.7, A.17.2.1, AU-5(b), AU-5(2), AU-5(1), AU-5(4), CM-6(a), DE.AE-3, DE.AE-5, PR.DS-4, PR.PT-1, RS.AN-1, RS.AN-4, Req-10.7, SRG-OS-000047-GPOS-00023, RHEL-08-030050, SV-230391r599732_rule |
| Description | The default action to take when the logs reach their maximum size
is to rotate the log files, discarding the oldest one. To configure the action taken
by auditd, add or correct the line in /etc/audit/auditd.conf:
max_log_file_action = ACTION
Possible values for ACTION are described in the auditd.conf man
page. These include:
syslogsuspendrotatekeep_logs
Set the ACTION to rotate to ensure log rotation
occurs. This is the default. The setting is case-insensitive. |
| Rationale | Automatically rotating logs (by setting this to rotate)
minimizes the chances of the system unexpectedly running out of disk space by
being overwhelmed with log data. However, for systems that must never discard
log data, or which use external processes to transfer it and reclaim space,
keep_logs can be employed. |
OVAL test results detailsadmin space left action
oval:ssg-test_auditd_data_retention_max_log_file_action:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/audit/auditd.conf | max_log_file_action = syslog |
Configure auditd Disk Error Action on Disk Errorxccdf_org.ssgproject.content_rule_auditd_data_disk_error_action mediumCCE-84046-2
Configure auditd Disk Error Action on Disk Error
| Rule ID | xccdf_org.ssgproject.content_rule_auditd_data_disk_error_action |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-auditd_data_disk_error_action:def:1 |
| Time | 2021-08-12T02:37:18+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-84046-2 References:
1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, APO11.04, APO12.06, APO13.01, BAI03.05, BAI04.04, BAI08.02, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.04, DSS05.07, MEA02.01, 4.2.3.10, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 7.1, SR 7.2, A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.16.1.4, A.16.1.5, A.16.1.7, A.17.2.1, AU-5(b), AU-5(2), AU-5(1), AU-5(4), CM-6(a), DE.AE-3, DE.AE-5, PR.DS-4, PR.PT-1, RS.AN-1, RS.AN-4, SRG-OS-000047-GPOS-00023, RHEL-08-030040, SV-230390r599732_rule |
| Description | The auditd service can be configured to take an action
when there is a disk error.
Edit the file /etc/audit/auditd.conf. Add or modify the following line,
substituting ACTION appropriately:
disk_error_action = ACTION
Set this value to single to cause the system to switch to single-user
mode for corrective action. Acceptable values also include syslog,
exec, single, and halt. For certain systems, the need for availability
outweighs the need to log all actions, and a different setting should be
determined. Details regarding all possible values for ACTION are described in the
auditd.conf man page. |
| Rationale | Taking appropriate action in case of disk errors will minimize the possibility of
losing audit records. |
OVAL test results detailsdisk full action
oval:ssg-test_auditd_data_disk_error_action:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/audit/auditd.conf | disk_error_action = HALT |
Configure auditd mail_acct Action on Low Disk Spacexccdf_org.ssgproject.content_rule_auditd_data_retention_action_mail_acct mediumCCE-80678-6
Configure auditd mail_acct Action on Low Disk Space
| Rule ID | xccdf_org.ssgproject.content_rule_auditd_data_retention_action_mail_acct |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-auditd_data_retention_action_mail_acct:def:1 |
| Time | 2021-08-12T02:37:18+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-80678-6 References:
4.1.2.3, 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 5.4.1.1, APO11.04, APO12.06, APO13.01, BAI03.05, BAI04.04, BAI08.02, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.04, DSS05.07, MEA02.01, 3.3.1, CCI-000139, CCI-001855, 164.312(a)(2)(ii), 4.2.3.10, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 7.1, SR 7.2, A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.16.1.4, A.16.1.5, A.16.1.7, A.17.2.1, IA-5(1), AU-5(a), AU-5(2), CM-6(a), DE.AE-3, DE.AE-5, PR.DS-4, PR.PT-1, RS.AN-1, RS.AN-4, Req-10.7.a, SRG-OS-000343-GPOS-00134, RHEL-08-030020, SV-230388r599732_rule, SRG-OS-000046-VMM-000210, SRG-OS-000343-VMM-001240 |
| Description | The auditd service can be configured to send email to
a designated account in certain situations. Add or correct the following line
in /etc/audit/auditd.conf to ensure that administrators are notified
via email for those situations:
action_mail_acct = root |
| Rationale | Email sent to the root account is typically aliased to the
administrators of the system, who can take appropriate action. |
OVAL test results detailsemail account for actions
oval:ssg-test_auditd_data_retention_action_mail_acct:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/audit/auditd.conf | action_mail_acct = root |
Include Local Events in Audit Logsxccdf_org.ssgproject.content_rule_auditd_local_events mediumCCE-82233-8
Include Local Events in Audit Logs
| Rule ID | xccdf_org.ssgproject.content_rule_auditd_local_events |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-auditd_local_events:def:1 |
| Time | 2021-08-12T02:37:18+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-82233-8 References:
FAU_GEN.1.1.c, SRG-OS-000062-GPOS-00031, RHEL-08-030061, SV-230393r599732_rule |
| Description | To configure Audit daemon to include local events in Audit logs, set
local_events to yes in /etc/audit/auditd.conf.
This is the default setting. |
| Rationale | If option local_events isn't set to yes only events from
network will be aggregated. |
OVAL test results detailstests the value of local_events setting in the /etc/audit/auditd.conf file
oval:ssg-test_auditd_local_events:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/audit/auditd.conf | local_events = yes |
tests the absence of local_events setting in the /etc/audit/auditd.conf file
oval:ssg-test_auditd_local_events_default_not_overriden:tst:1
false
Following items have been found on the system:
| Path | Content |
|---|
| /etc/audit/auditd.conf | local_events = |
Resolve information before writing to audit logsxccdf_org.ssgproject.content_rule_auditd_log_format mediumCCE-82201-5
Resolve information before writing to audit logs
| Rule ID | xccdf_org.ssgproject.content_rule_auditd_log_format |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-auditd_log_format:def:1 |
| Time | 2021-08-12T02:37:18+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-82201-5 References:
FAU_GEN.1, SRG-OS-000255-GPOS-00096, RHEL-08-030063, SV-230395r599732_rule |
| Description | To configure Audit daemon to resolve all uid, gid, syscall,
architecture, and socket address information before writing the
events to disk, set log_format to ENRICHED
in /etc/audit/auditd.conf. |
| Rationale | If option log_format isn't set to ENRICHED, the
audit records will be stored in a format exactly as the kernel sends them. |
OVAL test results detailstests the value of log_format setting in the /etc/audit/auditd.conf file
oval:ssg-test_auditd_log_format:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/audit/auditd.conf | log_format = ENRICHED |
Configure auditd Disk Full Action when Disk Space Is Fullxccdf_org.ssgproject.content_rule_auditd_data_disk_full_action mediumCCE-84045-4
Configure auditd Disk Full Action when Disk Space Is Full
| Rule ID | xccdf_org.ssgproject.content_rule_auditd_data_disk_full_action |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-auditd_data_disk_full_action:def:1 |
| Time | 2021-08-12T02:37:18+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-84045-4 References:
1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, APO11.04, APO12.06, APO13.01, BAI03.05, BAI04.04, BAI08.02, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.04, DSS05.07, MEA02.01, 4.2.3.10, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 7.1, SR 7.2, A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.16.1.4, A.16.1.5, A.16.1.7, A.17.2.1, AU-5(b), AU-5(2), AU-5(1), AU-5(4), CM-6(a), DE.AE-3, DE.AE-5, PR.DS-4, PR.PT-1, RS.AN-1, RS.AN-4, SRG-OS-000047-GPOS-00023, RHEL-08-030060, SV-230392r599732_rule |
| Description | The auditd service can be configured to take an action
when disk space is running low but prior to running out of space completely.
Edit the file /etc/audit/auditd.conf. Add or modify the following line,
substituting ACTION appropriately:
disk_full_action = ACTION
Set this value to single to cause the system to switch to single-user
mode for corrective action. Acceptable values also include syslog,
exec,
single, and halt. For certain systems, the need for availability
outweighs the need to log all actions, and a different setting should be
determined. Details regarding all possible values for ACTION are described in the
auditd.conf man page. |
| Rationale | Taking appropriate action in case of a filled audit storage volume will minimize
the possibility of losing audit records. |
OVAL test results detailsdisk error action
oval:ssg-test_auditd_data_disk_full_action:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/audit/auditd.conf | disk_full_action = HALT |
System Audit Logs Must Be Owned By Rootxccdf_org.ssgproject.content_rule_file_ownership_var_log_audit mediumCCE-80808-9
System Audit Logs Must Be Owned By Root
| Rule ID | xccdf_org.ssgproject.content_rule_file_ownership_var_log_audit |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-file_ownership_var_log_audit:def:1 |
| Time | 2021-08-12T02:37:18+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-80808-9 References:
1, 11, 12, 13, 14, 15, 16, 18, 19, 3, 4, 5, 6, 7, 8, 5.4.1.1, APO01.06, APO11.04, APO12.06, BAI03.05, BAI08.02, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.1, CCI-000162, CCI-000163, CCI-000164, CCI-001314, 4.2.3.10, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 6.1, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.16.1.4, A.16.1.5, A.16.1.7, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), AU-9(4), DE.AE-3, DE.AE-5, PR.AC-4, PR.DS-5, PR.PT-1, RS.AN-1, RS.AN-4, Req-10.5.1, SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029, SRG-OS-000206-GPOS-00084, RHEL-08-030080, SV-230397r599732_rule |
| Description | All audit logs must be owned by root user and group. By default, the path for audit log is /var/log/audit/ .
To properly set the owner of /var/log/audit, run the command:
$ sudo chown root /var/log/audit
To properly set the owner of /var/log/audit/*, run the command:
$ sudo chown root /var/log/audit/* |
| Rationale | Unauthorized disclosure of audit records can reveal system and configuration data to
attackers, thus compromising its confidentiality. |
OVAL test results details/var/log/audit files uid root gid root
oval:ssg-test_ownership_var_log_audit_files:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_ownership_var_log_audit_files:obj:1 of type
file_object
| Behaviors | Path | Filename | Filter |
|---|
| no value | /var/log/audit | ^.*$ | oval:ssg-state_owner_not_root_root_var_log_audit:ste:1 |
/var/log/audit directories uid root gid root
oval:ssg-test_ownership_var_log_audit_directories:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_ownership_var_log_audit_directories:obj:1 of type
file_object
| Behaviors | Path | Filename | Filter |
|---|
| no value | /var/log/audit | no value | oval:ssg-state_owner_not_root_root_var_log_audit:ste:1 |
log_group = root
oval:ssg-test_auditd_conf_log_group_not_root:tst:1
false
Following items have been found on the system:
| Path | Content |
|---|
| /etc/audit/auditd.conf | log_group = root |
/var/log/audit files uid root gid root
oval:ssg-test_ownership_var_log_audit_files-non_root:tst:1
true
Following items have been found on the system:
| Path | Type | UID | GID | Size (B) | Permissions |
|---|
| /var/log/audit/audit.log | regular | 0 | 0 | 318222134 | rw------- |
/var/log/audit directories uid root gid root
oval:ssg-test_ownership_var_log_audit_directories-non_root:tst:1
true
Following items have been found on the system:
| Path | Type | UID | GID | Size (B) | Permissions |
|---|
| /var/log/audit/ | directory | 0 | 0 | 23 | rwx------ |
System Audit Logs Must Have Mode 0750 or Less Permissivexccdf_org.ssgproject.content_rule_directory_permissions_var_log_audit mediumCCE-84048-8
System Audit Logs Must Have Mode 0750 or Less Permissive
| Rule ID | xccdf_org.ssgproject.content_rule_directory_permissions_var_log_audit |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-directory_permissions_var_log_audit:def:1 |
| Time | 2021-08-12T02:37:18+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-84048-8 References:
1, 11, 12, 13, 14, 15, 16, 18, 19, 3, 4, 5, 6, 7, 8, APO01.06, APO11.04, APO12.06, BAI03.05, BAI08.02, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 4.2.3.10, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 6.1, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.16.1.4, A.16.1.5, A.16.1.7, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), AU-9, DE.AE-3, DE.AE-5, PR.AC-4, PR.DS-5, PR.PT-1, RS.AN-1, RS.AN-4, SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029, RHEL-08-030120, SV-230401r599732_rule |
| Description | If log_group in /etc/audit/auditd.conf is set to a group other than the root
group account, change the mode of the audit log files with the following command:
$ sudo chmod 0750 /var/log/audit
Otherwise, change the mode of the audit log files with the following command:
$ sudo chmod 0700 /var/log/audit |
| Rationale | If users can write to audit logs, audit trails can be modified or destroyed. |
OVAL test results details/var/log/audit mode 0700
oval:ssg-test_dir_permissions_var_log_audit:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_var_log_audit_directory:obj:1 of type
file_object
| Behaviors | Path | Filename | Filter |
|---|
| no value | /var/log/audit | ^.*$ | oval:ssg-state_not_mode_0700:ste:1 |
log_group = root
oval:ssg-test_auditd_conf_log_group_not_root:tst:1
false
Following items have been found on the system:
| Path | Content |
|---|
| /etc/audit/auditd.conf | log_group = root |
/var/log/audit files mode 0750
oval:ssg-test_dir_permissions_var_log_audit-non_root:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_var_log_audit_directory-non_root:obj:1 of type
file_object
| Behaviors | Path | Filename | Filter |
|---|
| no value | /var/log/audit | ^.*$ | oval:ssg-state_not_mode_0750:ste:1 |
System Audit Logs Must Have Mode 0640 or Less Permissivexccdf_org.ssgproject.content_rule_file_permissions_var_log_audit mediumCCE-80819-6
System Audit Logs Must Have Mode 0640 or Less Permissive
| Rule ID | xccdf_org.ssgproject.content_rule_file_permissions_var_log_audit |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-file_permissions_var_log_audit:def:1 |
| Time | 2021-08-12T02:37:18+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-80819-6 References:
1, 11, 12, 13, 14, 15, 16, 18, 19, 3, 4, 5, 6, 7, 8, 5.4.1.1, APO01.06, APO11.04, APO12.06, BAI03.05, BAI08.02, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.1, CCI-000162, CCI-000163, CCI-000164, CCI-001314, 4.2.3.10, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 6.1, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.16.1.4, A.16.1.5, A.16.1.7, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), AU-9(4), DE.AE-3, DE.AE-5, PR.AC-4, PR.DS-5, PR.PT-1, RS.AN-1, RS.AN-4, Req-10.5, SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029, SRG-OS-000206-GPOS-00084, RHEL-08-030070, SV-230396r599732_rule |
| Description | If log_group in /etc/audit/auditd.conf is set to a group other than the root
group account, change the mode of the audit log files with the following command:
$ sudo chmod 0640 audit_file
Otherwise, change the mode of the audit log files with the following command:
$ sudo chmod 0600 audit_file |
| Rationale | If users can write to audit logs, audit trails can be modified or destroyed. |
OVAL test results details/var/log/audit files mode 0600
oval:ssg-test_file_permissions_var_log_audit:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_var_log_audit_files:obj:1 of type
file_object
| Behaviors | Path | Filename | Filter |
|---|
| no value | /var/log/audit | ^.*$ | oval:ssg-state_not_mode_0600:ste:1 |
log_group = root
oval:ssg-test_auditd_conf_log_group_not_root:tst:1
false
Following items have been found on the system:
| Path | Content |
|---|
| /etc/audit/auditd.conf | log_group = root |
/var/log/audit files mode 0640
oval:ssg-test_file_permissions_var_log_audit-non_root:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_var_log_audit_files-non_root:obj:1 of type
file_object
| Behaviors | Path | Filename | Filter |
|---|
| no value | /var/log/audit | ^.*$ | oval:ssg-state_not_mode_0640:ste:1 |
Ensure the audit Subsystem is Installedxccdf_org.ssgproject.content_rule_package_audit_installed mediumCCE-81043-2
Ensure the audit Subsystem is Installed
| Rule ID | xccdf_org.ssgproject.content_rule_package_audit_installed |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-package_audit_installed:def:1 |
| Time | 2021-08-12T02:37:18+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-81043-2 References:
BP28(R50), 4.1.1.1, AC-7(a), AU-7(1), AU-7(2), AU-14, AU-12(2), AU-2(a), CM-6(a), SRG-OS-000480-GPOS-00227, SRG-OS-000122-GPOS-00063 |
| Description | The audit package should be installed. |
| Rationale | The auditd service is an access monitoring and accounting daemon, watching system calls to audit any access, in comparison with potential local access control policy such as SELinux policy. |
OVAL test results detailspackage audit is installed
oval:ssg-test_package_audit_installed:tst:1
true
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| audit | x86_64 | (none) | 0.17.20191104git1c2f876.el8 | 3.0 | 0:3.0-0.17.20191104git1c2f876.el8 | 199e2f91fd431d51 | audit-0:3.0-0.17.20191104git1c2f876.el8.x86_64 |
Enable auditd Servicexccdf_org.ssgproject.content_rule_service_auditd_enabled mediumCCE-80872-5
Enable auditd Service
| Rule ID | xccdf_org.ssgproject.content_rule_service_auditd_enabled |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-service_auditd_enabled:def:1 |
| Time | 2021-08-12T02:37:18+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-80872-5 References:
4.1.1.2, 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.3.1, 3.3.2, 3.3.6, CCI-000126, CCI-000130, CCI-000131, CCI-000132, CCI-000133, CCI-000134, CCI-000134, CCI-000135, CCI-001464, CCI-001487, CCI-001814, 164.308(a)(1)(ii)(D), 164.308(a)(5)(ii)(C), 164.310(a)(2)(iv), 164.310(d)(2)(iii), 164.312(b), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AC-2(g), AU-3, AU-10, AU-2(d), AU-12(c), AU-14(1), AC-6(9), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, Req-10.1, SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000042-GPOS-00021, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, SRG-OS-000365-GPOS-00152, RHEL-08-010560, SV-230297r599732_rule, SRG-OS-000037-VMM-000150, SRG-OS-000063-VMM-000310, SRG-OS-000038-VMM-000160, SRG-OS-000039-VMM-000170, SRG-OS-000040-VMM-000180, SRG-OS-000041-VMM-000190 |
| Description | The auditd service is an essential userspace component of
the Linux Auditing System, as it is responsible for writing audit records to
disk.
The auditd service can be enabled with the following command:
$ sudo systemctl enable auditd.service |
| Rationale | Without establishing what type of events occurred, it would be difficult
to establish, correlate, and investigate the events leading up to an outage or attack.
Ensuring the auditd service is active ensures audit records
generated by the kernel are appropriately recorded.
Additionally, a properly configured audit subsystem ensures that actions of
individual system users can be uniquely traced to those users so they
can be held accountable for their actions. |
OVAL test results detailspackage audit is installed
oval:ssg-test_service_auditd_package_audit_installed:tst:1
true
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| audit | x86_64 | (none) | 0.17.20191104git1c2f876.el8 | 3.0 | 0:3.0-0.17.20191104git1c2f876.el8 | 199e2f91fd431d51 | audit-0:3.0-0.17.20191104git1c2f876.el8.x86_64 |
Test that the auditd service is running
oval:ssg-test_service_running_auditd:tst:1
true
Following items have been found on the system:
| Unit | Property | Value |
|---|
| auditd.service | ActiveState | active |
systemd test
oval:ssg-test_multi_user_wants_auditd:tst:1
true
Following items have been found on the system:
| Unit | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency |
|---|
| multi-user.target | basic.target | sysinit.target | selinux-autorelabel-mark.service | systemd-ask-password-console.path | systemd-journald.service | sys-fs-fuse-connections.mount | systemd-udevd.service | systemd-binfmt.service | dev-hugepages.mount | loadmodules.service | swap.target | dev-mapper-vg0\x2dlv_swap.swap | systemd-journal-flush.service | systemd-machine-id-commit.service | systemd-update-done.service | sys-kernel-config.mount | dracut-shutdown.service | rngd.service | systemd-sysusers.service | lvm2-lvmpolld.socket | kmod-static-nodes.service | proc-sys-fs-binfmt_misc.automount | local-fs.target | -.mount | home.mount | tmp.mount | var-log-audit.mount | opt.mount | systemd-remount-fs.service | root.mount | var-log.mount | var-tmp.mount | var.mount | systemd-random-seed.service | systemd-update-utmp.service | dev-mqueue.mount | lvm2-monitor.service | import-state.service | systemd-firstboot.service | systemd-tmpfiles-setup-dev.service | systemd-tmpfiles-setup.service | systemd-sysctl.service | cryptsetup.target | systemd-modules-load.service | systemd-journal-catalog-update.service | nis-domainname.service | systemd-udev-trigger.service | ldconfig.service | sys-kernel-debug.mount | systemd-hwdb-update.service | paths.target | sockets.target | systemd-journald.socket | pcscd.socket | systemd-coredump.socket | dm-event.socket | systemd-journald-dev-log.socket | systemd-udevd-kernel.socket | systemd-initctl.socket | dbus.socket | systemd-udevd-control.socket | sssd-kcm.socket | timers.target | unbound-anchor.timer | systemd-tmpfiles-clean.timer | microcode.service | usbguard.service | slices.target | system.slice | -.slice | systemd-logind.service | systemd-update-utmp-runlevel.service | amazon-ssm-agent.service | getty.target | getty@tty1.service | serial-getty@ttyS0.service | remote-fs.target | sshd.service | sssd.service | dnf-makecache.timer | cloud-init.target | cloud-config.service | cloud-init-local.service | cloud-final.service | cloud-init.service | fapolicyd.service | firewalld.service | systemd-ask-password-wall.path | NetworkManager.service | chronyd.service | rsyslog.service | crond.service | vmtoolsd.service | systemd-user-sessions.service | irqbalance.service | dbus.service | auditd.service |
systemd test
oval:ssg-test_multi_user_wants_auditd_socket:tst:1
false
Following items have been found on the system:
| Unit | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency |
|---|
| multi-user.target | basic.target | sysinit.target | selinux-autorelabel-mark.service | systemd-ask-password-console.path | systemd-journald.service | sys-fs-fuse-connections.mount | systemd-udevd.service | systemd-binfmt.service | dev-hugepages.mount | loadmodules.service | swap.target | dev-mapper-vg0\x2dlv_swap.swap | systemd-journal-flush.service | systemd-machine-id-commit.service | systemd-update-done.service | sys-kernel-config.mount | dracut-shutdown.service | rngd.service | systemd-sysusers.service | lvm2-lvmpolld.socket | kmod-static-nodes.service | proc-sys-fs-binfmt_misc.automount | local-fs.target | -.mount | home.mount | tmp.mount | var-log-audit.mount | opt.mount | systemd-remount-fs.service | root.mount | var-log.mount | var-tmp.mount | var.mount | systemd-random-seed.service | systemd-update-utmp.service | dev-mqueue.mount | lvm2-monitor.service | import-state.service | systemd-firstboot.service | systemd-tmpfiles-setup-dev.service | systemd-tmpfiles-setup.service | systemd-sysctl.service | cryptsetup.target | systemd-modules-load.service | systemd-journal-catalog-update.service | nis-domainname.service | systemd-udev-trigger.service | ldconfig.service | sys-kernel-debug.mount | systemd-hwdb-update.service | paths.target | sockets.target | systemd-journald.socket | pcscd.socket | systemd-coredump.socket | dm-event.socket | systemd-journald-dev-log.socket | systemd-udevd-kernel.socket | systemd-initctl.socket | dbus.socket | systemd-udevd-control.socket | sssd-kcm.socket | timers.target | unbound-anchor.timer | systemd-tmpfiles-clean.timer | microcode.service | usbguard.service | slices.target | system.slice | -.slice | systemd-logind.service | systemd-update-utmp-runlevel.service | amazon-ssm-agent.service | getty.target | getty@tty1.service | serial-getty@ttyS0.service | remote-fs.target | sshd.service | sssd.service | dnf-makecache.timer | cloud-init.target | cloud-config.service | cloud-init-local.service | cloud-final.service | cloud-init.service | fapolicyd.service | firewalld.service | systemd-ask-password-wall.path | NetworkManager.service | chronyd.service | rsyslog.service | crond.service | vmtoolsd.service | systemd-user-sessions.service | irqbalance.service | dbus.service | auditd.service |
Extend Audit Backlog Limit for the Audit Daemonxccdf_org.ssgproject.content_rule_grub2_audit_backlog_limit_argument mediumCCE-80943-4
Extend Audit Backlog Limit for the Audit Daemon
| Rule ID | xccdf_org.ssgproject.content_rule_grub2_audit_backlog_limit_argument |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-grub2_audit_backlog_limit_argument:def:1 |
| Time | 2021-08-12T02:37:18+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-80943-4 References:
4.1.1.4, CM-6(a), SRG-OS-000254-GPOS-00095, RHEL-08-030602, SV-230469r599732_rule |
| Description | To improve the kernel capacity to queue all log events, even those which occurred
prior to the audit daemon, add the argument audit_backlog_limit=8192 to the default
GRUB 2 command line for the Linux operating system in
/etc/default/grub, in the manner below:
GRUB_CMDLINE_LINUX="crashkernel=auto rd.lvm.lv=VolGroup/LogVol06 rd.lvm.lv=VolGroup/lv_swap rhgb quiet rd.shell=0 audit=1 audit_backlog_limit=8192" |
| Rationale | audit_backlog_limit sets the queue length for audit events awaiting transfer
to the audit daemon. Until the audit daemon is up and running, all log messages
are stored in this queue. If the queue is overrun during boot process, the action
defined by audit failure flag is taken. |
| Warnings | warning
The GRUB 2 configuration file, grub.cfg,
is automatically updated each time a new kernel is installed. Note that any
changes to /etc/default/grub require rebuilding the grub.cfg
file. To update the GRUB 2 configuration file manually, use the
grub2-mkconfig -o command as follows:
|
OVAL test results detailscheck forkernel command line parameters audit_backlog_limit=8192 in /boot/grub2/grubenv for all kernels
oval:ssg-test_grub2_audit_backlog_limit_argument_grub_env:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /boot/grub2/grubenv | kernelopts=root=UUID=fab9287a-70f3-4573-b393-f09902623b96 ro console=ttyS0,115200n8 console=tty0 net.ifnames=0 rd.blacklist=nouveau nvme_core.io_timeout=4294967295 crashkernel=auto audit=1 audit_backlog_limit=8192 pti=on vsyscall=none slub_debug=P page_poison=1 fips=1 |
Enable Auditing for Processes Which Start Prior to the Audit Daemonxccdf_org.ssgproject.content_rule_grub2_audit_argument mediumCCE-80825-3
Enable Auditing for Processes Which Start Prior to the Audit Daemon
| Rule ID | xccdf_org.ssgproject.content_rule_grub2_audit_argument |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-grub2_audit_argument:def:1 |
| Time | 2021-08-12T02:37:18+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-80825-3 References:
4.1.1.3, 1, 11, 12, 13, 14, 15, 16, 19, 3, 4, 5, 6, 7, 8, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.02, DSS05.03, DSS05.04, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.3.1, CCI-001464, CCI-000130, 164.308(a)(1)(ii)(D), 164.308(a)(5)(ii)(C), 164.310(a)(2)(iv), 164.310(d)(2)(iii), 164.312(b), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AC-17(1), AU-14(1), AU-10, CM-6(a), IR-5(1), DE.AE-3, DE.AE-5, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, Req-10.3, SRG-OS-000254-GPOS-00095, RHEL-08-030601, SV-230468r599732_rule, SRG-OS-000254-VMM-000880 |
| Description | To ensure all processes can be audited, even those which start
prior to the audit daemon, add the argument audit=1 to the default
GRUB 2 command line for the Linux operating system in
/boot/grub2/grubenv, in the manner below:
# grub2-editenv - set "$(grub2-editenv - list | grep kernelopts) audit=1" |
| Rationale | Each process on the system carries an "auditable" flag which indicates whether
its activities can be audited. Although auditd takes care of enabling
this for all processes which launch after it does, adding the kernel argument
ensures it is set for every process during boot. |
| Warnings | warning
The GRUB 2 configuration file, grub.cfg,
is automatically updated each time a new kernel is installed. Note that any
changes to /etc/default/grub require rebuilding the grub.cfg
file. To update the GRUB 2 configuration file manually, use the
grub2-mkconfig -o command as follows:
|
OVAL test results detailscheck forkernel command line parameters audit=1 in /boot/grub2/grubenv for all kernels
oval:ssg-test_grub2_audit_argument_grub_env:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /boot/grub2/grubenv | kernelopts=root=UUID=fab9287a-70f3-4573-b393-f09902623b96 ro console=ttyS0,115200n8 console=tty0 net.ifnames=0 rd.blacklist=nouveau nvme_core.io_timeout=4294967295 crashkernel=auto audit=1 audit_backlog_limit=8192 pti=on vsyscall=none slub_debug=P page_poison=1 fips=1 |
Set the UEFI Boot Loader Passwordxccdf_org.ssgproject.content_rule_grub2_uefi_password highCCE-80829-5
Set the UEFI Boot Loader Password
| Rule ID | xccdf_org.ssgproject.content_rule_grub2_uefi_password |
| Result | |
| Multi-check rule | no |
| Time | 2021-08-12T02:37:18+00:00 |
| Severity | high |
| Identifiers and References | Identifiers:
CCE-80829-5 References:
BP28(R17), 1.4.2, 11, 12, 14, 15, 16, 18, 3, 5, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.03, DSS06.06, 3.4.5, CCI-000213, 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii), 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, A.6.1.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), PR.AC-4, PR.AC-6, PR.PT-3, FIA_UAU.1, SRG-OS-000080-GPOS-00048, RHEL-08-010140, SV-230234r599732_rule |
| Description | The grub2 boot loader should have a superuser account and password
protection enabled to protect boot-time settings.
Since plaintext passwords are a security risk, generate a hash for the password
by running the following command:
$ grub2-setpassword
When prompted, enter the password that was selected.
Once the superuser password has been added,
update the
grub.cfg file by running:
grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg |
| Rationale | Password protection on the boot loader configuration ensures
users with physical access cannot trivially alter
important bootloader settings. These include which kernel to use,
and whether to enter single-user mode. |
| Warnings | warning
To prevent hard-coded passwords, automatic remediation of this control is not available. Remediation
must be automated as a component of machine provisioning, or followed manually as outlined above.
Also, do NOT manually add the superuser account and password to the
grub.cfg file as the grub2-mkconfig command overwrites this file. |
Set the UEFI Boot Loader Admin Username to a Non-Default Valuexccdf_org.ssgproject.content_rule_grub2_uefi_admin_username lowCCE-83542-1
Set the UEFI Boot Loader Admin Username to a Non-Default Value
| Rule ID | xccdf_org.ssgproject.content_rule_grub2_uefi_admin_username |
| Result | |
| Multi-check rule | no |
| Time | 2021-08-12T02:37:18+00:00 |
| Severity | low |
| Identifiers and References | Identifiers:
CCE-83542-1 References:
BP28(R17), 1.4.2, 11, 12, 14, 15, 16, 18, 3, 5, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.03, DSS06.06, 3.4.5, CCI-000213, 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii), 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, A.6.1.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), PR.AC-4, PR.AC-6, PR.PT-3, FIA_UAU.1, SRG-OS-000080-GPOS-00048 |
| Description | The grub2 boot loader should have a superuser account and password
protection enabled to protect boot-time settings.
To maximize the protection, select a password-protected superuser account with unique name, and modify the
/etc/grub.d/01_users configuration file to reflect the account name change.
It is highly suggested not to use common administrator account names like root,
admin, or administrator for the grub2 superuser account.
Change the superuser to a different username (The default is 'root').
$ sed -i 's/\(set superuser=\).*/\1"<unique user ID>"/g' /etc/grub.d/01_users
Once the superuser account has been added,
update the
grub.cfg file by running:
grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg |
| Rationale | Having a non-default grub superuser username makes password-guessing attacks less effective. |
| Warnings | warning
To prevent hard-coded admin usernames, automatic remediation of this control is not available. Remediation
must be automated as a component of machine provisioning, or followed manually as outlined above.
Also, do NOT manually add the superuser account and password to the
grub.cfg file as the grub2-mkconfig command overwrites this file. |
Set the Boot Loader Admin Username to a Non-Default Valuexccdf_org.ssgproject.content_rule_grub2_admin_username lowCCE-83561-1
Set the Boot Loader Admin Username to a Non-Default Value
| Rule ID | xccdf_org.ssgproject.content_rule_grub2_admin_username |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-grub2_admin_username:def:1 |
| Time | 2021-08-12T02:37:18+00:00 |
| Severity | low |
| Identifiers and References | Identifiers:
CCE-83561-1 References:
BP28(R17), 1.4.2, 1, 11, 12, 14, 15, 16, 18, 3, 5, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.06, DSS06.10, 3.4.5, CCI-000213, 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii), 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, A.18.1.4, A.6.1.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, CM-6(a), PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, PR.PT-3, FIA_UAU.1, SRG-OS-000080-GPOS-00048 |
| Description | The grub2 boot loader should have a superuser account and password
protection enabled to protect boot-time settings.
To maximize the protection, select a password-protected superuser account with unique name, and modify the
/etc/grub.d/01_users configuration file to reflect the account name change.
Do not to use common administrator account names like root,
admin, or administrator for the grub2 superuser account.
Change the superuser to a different username (The default is 'root').
$ sed -i 's/\(set superuser=\).*/\1"<unique user ID>"/g' /etc/grub.d/01_users
Once the superuser account has been added,
update the
grub.cfg file by running:
grub2-mkconfig -o /boot/grub2/grub.cfg |
| Rationale | Having a non-default grub superuser username makes password-guessing attacks less effective. |
| Warnings | warning
To prevent hard-coded admin usernames, automatic remediation of this control is not available. Remediation
must be automated as a component of machine provisioning, or followed manually as outlined above.
Also, do NOT manually add the superuser account and password to the
grub.cfg file as the grub2-mkconfig command overwrites this file. |
OVAL test results detailsCheck if /boot/grub2/grub.cfg does not exist
oval:ssg-test_grub2_admin_username_file_boot_grub2_grub_cfg_absent:tst:1
false
Following items have been found on the system:
| Path | Type | UID | GID | Size (B) | Permissions |
|---|
| /boot/grub2/grub.cfg | regular | 0 | 0 | 6477 | rw-r--r-- |
superuser is defined in /boot/grub2/grub.cfg files. Superuser is not root, admin, or administrator
oval:ssg-test_bootloader_unique_superuser:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_bootloader_unique_superuser:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /boot/grub2/grub.cfg | ^[\s]*set[\s]+superusers="(?i)(?!root|admin|administrator)(?-i).*"$ | 1 |
Set Boot Loader Password in grub2xccdf_org.ssgproject.content_rule_grub2_password highCCE-80828-7
Set Boot Loader Password in grub2
| Rule ID | xccdf_org.ssgproject.content_rule_grub2_password |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-grub2_password:def:1 |
| Time | 2021-08-12T02:37:18+00:00 |
| Severity | high |
| Identifiers and References | Identifiers:
CCE-80828-7 References:
BP28(R17), 1.5.2, 1, 11, 12, 14, 15, 16, 18, 3, 5, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.06, DSS06.10, 3.4.5, CCI-000213, 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii), 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, A.18.1.4, A.6.1.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, CM-6(a), PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, PR.PT-3, FIA_UAU.1, SRG-OS-000080-GPOS-00048, RHEL-08-010150, SV-230235r599732_rule |
| Description | The grub2 boot loader should have a superuser account and password
protection enabled to protect boot-time settings.
Since plaintext passwords are a security risk, generate a hash for the password
by running the following command:
$ grub2-setpassword
When prompted, enter the password that was selected.
Once the superuser password has been added,
update the
grub.cfg file by running:
grub2-mkconfig -o /boot/grub2/grub.cfg |
| Rationale | Password protection on the boot loader configuration ensures
users with physical access cannot trivially alter
important bootloader settings. These include which kernel to use,
and whether to enter single-user mode. |
| Warnings | warning
To prevent hard-coded passwords, automatic remediation of this control is not available. Remediation
must be automated as a component of machine provisioning, or followed manually as outlined above.
Also, do NOT manually add the superuser account and password to the
grub.cfg file as the grub2-mkconfig command overwrites this file. |
OVAL test results detailsCheck if /boot/grub2/grub.cfg does not exist
oval:ssg-test_grub2_password_file_boot_grub2_grub_cfg_absent:tst:1
false
Following items have been found on the system:
| Path | Type | UID | GID | Size (B) | Permissions |
|---|
| /boot/grub2/grub.cfg | regular | 0 | 0 | 6477 | rw-r--r-- |
make sure a password is defined in /boot/grub2/user.cfg
oval:ssg-test_grub2_password_usercfg:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_grub2_password_usercfg:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /boot/grub2/user.cfg | ^[\s]*GRUB2_PASSWORD=grub\.pbkdf2\.sha512.*$ | 1 |
make sure a password is defined in /boot/grub2/grub.cfg
oval:ssg-test_grub2_password_grubcfg:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_grub2_password_grubcfg:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /boot/grub2/grub.cfg | ^[\s]*password_pbkdf2[\s]+.*[\s]+grub\.pbkdf2\.sha512.*$ | 1 |
superuser is defined in /boot/grub2/grub.cfg files.
oval:ssg-test_bootloader_superuser:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /boot/grub2/grub.cfg | set superusers="root" |
Enable Kernel Page-Table Isolation (KPTI)xccdf_org.ssgproject.content_rule_grub2_pti_argument highCCE-82194-2
Enable Kernel Page-Table Isolation (KPTI)
| Rule ID | xccdf_org.ssgproject.content_rule_grub2_pti_argument |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-grub2_pti_argument:def:1 |
| Time | 2021-08-12T02:37:18+00:00 |
| Severity | high |
| Identifiers and References | Identifiers:
CCE-82194-2 References:
SI-16, SRG-OS-000433-GPOS-00193, RHEL-08-040004, SV-230491r599732_rule |
| Description | To enable Kernel page-table isolation,
add the argument pti=on to the default
GRUB 2 command line for the Linux operating system in
/etc/default/grub, in the manner below:
GRUB_CMDLINE_LINUX="pti=on" |
| Rationale | Kernel page-table isolation is a kernel feature that mitigates
the Meltdown security vulnerability and hardens the kernel
against attempts to bypass kernel address space layout
randomization (KASLR). |
| Warnings | warning
The GRUB 2 configuration file, grub.cfg,
is automatically updated each time a new kernel is installed. Note that any
changes to /etc/default/grub require rebuilding the grub.cfg
file. To update the GRUB 2 configuration file manually, use the
grub2-mkconfig -o command as follows:
|
OVAL test results detailscheck forkernel command line parameters pti=on in /boot/grub2/grubenv for all kernels
oval:ssg-test_grub2_pti_argument_grub_env:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /boot/grub2/grubenv | kernelopts=root=UUID=fab9287a-70f3-4573-b393-f09902623b96 ro console=ttyS0,115200n8 console=tty0 net.ifnames=0 rd.blacklist=nouveau nvme_core.io_timeout=4294967295 crashkernel=auto audit=1 audit_backlog_limit=8192 pti=on vsyscall=none slub_debug=P page_poison=1 fips=1 |
Disable vsyscallsxccdf_org.ssgproject.content_rule_grub2_vsyscall_argument mediumCCE-80946-7
Disable vsyscalls
| Rule ID | xccdf_org.ssgproject.content_rule_grub2_vsyscall_argument |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-grub2_vsyscall_argument:def:1 |
| Time | 2021-08-12T02:37:18+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-80946-7 References:
CM-7(a), SRG-OS-000480-GPOS-00227, RHEL-08-010422, SV-230278r599732_rule |
| Description | To disable use of virtual syscalls,
add the argument vsyscall=none to the default
GRUB 2 command line for the Linux operating system in
/etc/default/grub, in the manner below:
GRUB_CMDLINE_LINUX="vsyscall=none" |
| Rationale | Virtual Syscalls provide an opportunity of attack for a user who has control
of the return instruction pointer. |
| Warnings | warning
The GRUB 2 configuration file, grub.cfg,
is automatically updated each time a new kernel is installed. Note that any
changes to /etc/default/grub require rebuilding the grub.cfg
file. To update the GRUB 2 configuration file manually, use the
grub2-mkconfig -o command as follows:
|
OVAL test results detailscheck forkernel command line parameters vsyscall=none in /boot/grub2/grubenv for all kernels
oval:ssg-test_grub2_vsyscall_argument_grub_env:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /boot/grub2/grubenv | kernelopts=root=UUID=fab9287a-70f3-4573-b393-f09902623b96 ro console=ttyS0,115200n8 console=tty0 net.ifnames=0 rd.blacklist=nouveau nvme_core.io_timeout=4294967295 crashkernel=auto audit=1 audit_backlog_limit=8192 pti=on vsyscall=none slub_debug=P page_poison=1 fips=1 |
Install policycoreutils Packagexccdf_org.ssgproject.content_rule_package_policycoreutils_installed highCCE-82976-2
Install policycoreutils Package
| Rule ID | xccdf_org.ssgproject.content_rule_package_policycoreutils_installed |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-package_policycoreutils_installed:def:1 |
| Time | 2021-08-12T02:37:18+00:00 |
| Severity | high |
| Identifiers and References | Identifiers:
CCE-82976-2 References:
SRG-OS-000480-GPOS-00227, RHEL-08-010171, SV-230241r599732_rule |
| Description | The policycoreutils package can be installed with the following command:
$ sudo yum install policycoreutils |
| Rationale | Security-enhanced Linux is a feature of the Linux kernel and a number of utilities
with enhanced security functionality designed to add mandatory access controls to Linux.
The Security-enhanced Linux kernel contains new architectural components originally
developed to improve security of the Flask operating system. These architectural components
provide general support for the enforcement of many kinds of mandatory access control
policies, including those based on the concepts of Type Enforcement, Role-based Access
Control, and Multi-level Security.
policycoreutils contains the policy core utilities that are required for
basic operation of an SELinux-enabled system. These utilities include load_policy
to load SELinux policies, setfiles to label filesystems, newrole to
switch roles, and run_init to run /etc/init.d scripts in the proper
context. |
OVAL test results detailspackage policycoreutils is installed
oval:ssg-test_package_policycoreutils_installed:tst:1
true
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| policycoreutils | x86_64 | (none) | 14.el8 | 2.9 | 0:2.9-14.el8 | 199e2f91fd431d51 | policycoreutils-0:2.9-14.el8.x86_64 |
Ensure SELinux State is Enforcingxccdf_org.ssgproject.content_rule_selinux_state mediumCCE-80869-1
Ensure SELinux State is Enforcing
| Rule ID | xccdf_org.ssgproject.content_rule_selinux_state |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-selinux_state:def:1 |
| Time | 2021-08-12T02:37:18+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-80869-1 References:
BP28(R4), BP28(R66), 1.7.1.4, 1, 11, 12, 13, 14, 15, 16, 18, 3, 4, 5, 6, 8, 9, APO01.06, APO11.04, APO13.01, BAI03.05, DSS01.05, DSS03.01, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.03, DSS06.06, MEA02.01, 3.1.2, 3.7.2, CCI-002165, CCI-002696, 164.308(a)(1)(ii)(D), 164.308(a)(3), 164.308(a)(4), 164.310(b), 164.310(c), 164.312(a), 164.312(e), 4.2.3.4, 4.3.3.2.2, 4.3.3.3.9, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, 4.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.1, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, AC-3, AC-3(3)(a), AU-9, SC-7(21), DE.AE-1, ID.AM-3, PR.AC-4, PR.AC-5, PR.AC-6, PR.DS-5, PR.PT-1, PR.PT-3, PR.PT-4, SRG-OS-000445-GPOS-00199, RHEL-08-010170, SV-230240r599732_rule, SRG-OS-000445-VMM-001780 |
| Description | The SELinux state should be set to enforcing at
system boot time. In the file /etc/selinux/config, add or correct the
following line to configure the system to boot into enforcing mode:
SELINUX=enforcing |
| Rationale | Setting the SELinux state to enforcing ensures SELinux is able to confine
potentially compromised processes to the security policy, which is designed to
prevent them from causing damage to the system or further elevating their
privileges. |
OVAL test results details/selinux/enforce is 1
oval:ssg-test_etc_selinux_config:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/selinux/config | SELINUX=enforcing |
Configure SELinux Policyxccdf_org.ssgproject.content_rule_selinux_policytype mediumCCE-80868-3
Configure SELinux Policy
| Rule ID | xccdf_org.ssgproject.content_rule_selinux_policytype |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-selinux_policytype:def:1 |
| Time | 2021-08-12T02:37:18+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-80868-3 References:
BP28(R66), 1.7.1.3, 1, 11, 12, 13, 14, 15, 16, 18, 3, 4, 5, 6, 8, 9, APO01.06, APO11.04, APO13.01, BAI03.05, DSS01.05, DSS03.01, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.03, DSS06.06, MEA02.01, 3.1.2, 3.7.2, CCI-002165, CCI-002696, 164.308(a)(1)(ii)(D), 164.308(a)(3), 164.308(a)(4), 164.310(b), 164.310(c), 164.312(a), 164.312(e), 4.2.3.4, 4.3.3.2.2, 4.3.3.3.9, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, 4.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.1, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, AC-3, AC-3(3)(a), AU-9, SC-7(21), DE.AE-1, ID.AM-3, PR.AC-4, PR.AC-5, PR.AC-6, PR.DS-5, PR.PT-1, PR.PT-3, PR.PT-4, SRG-OS-000445-GPOS-00199, RHEL-08-010450, SV-230282r599732_rule, SRG-OS-000445-VMM-001780 |
| Description | The SELinux targeted policy is appropriate for
general-purpose desktops and servers, as well as systems in many other roles.
To configure the system to use this policy, add or correct the following line
in /etc/selinux/config:
SELINUXTYPE=targeted
Other policies, such as mls, provide additional security labeling
and greater confinement but are not compatible with many general-purpose
use cases. |
| Rationale | Setting the SELinux policy to targeted or a more specialized policy
ensures the system will confine processes that are likely to be
targeted for exploitation, such as network or system services.
Note: During the development or debugging of SELinux modules, it is common to
temporarily place non-production systems in permissive mode. In such
temporary cases, SELinux policies should be developed, and once work
is completed, the system should be reconfigured to
targeted. |
OVAL test results detailsTests the value of the ^[\s]*SELINUXTYPE[\s]*=[\s]*([^#]*) expression in the /etc/selinux/config file
oval:ssg-test_selinux_policy:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/selinux/config | SELINUXTYPE=targeted
|
Deactivate Wireless Network Interfacesxccdf_org.ssgproject.content_rule_wireless_disable_interfaces mediumCCE-83501-7
Deactivate Wireless Network Interfaces
| Rule ID | xccdf_org.ssgproject.content_rule_wireless_disable_interfaces |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-wireless_disable_interfaces:def:1 |
| Time | 2021-08-12T02:37:18+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-83501-7 References:
3.5, 11, 12, 14, 15, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.04, DSS05.02, DSS05.03, DSS05.05, DSS06.06, 3.1.16, CCI-000085, CCI-002418, CCI-002421, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, 1315, 1319, A.11.2.6, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.2.1, A.6.2.2, A.9.1.2, AC-18(a), AC-18(3), CM-7(a), CM-7(b), CM-6(a), MP-7, PR.AC-3, PR.IP-1, PR.PT-3, PR.PT-4, SRG-OS-000424-GPOS-00188, RHEL-08-040110, SV-230506r599732_rule |
| Description | Deactivating wireless network interfaces should prevent
normal usage of the wireless capability.
Configure the system to disable all wireless network interfaces with the
following command:
$ sudo nmcli radio wifi off |
| Rationale | The use of wireless networking can introduce many different attack vectors into
the organization's network. Common attack vectors such as malicious association
and ad hoc networks will allow an attacker to spoof a wireless access point
(AP), allowing validated systems to connect to the malicious AP and enabling the
attacker to monitor and record network traffic. These malicious APs can also
serve to create a man-in-the-middle attack or be used to create a denial of
service to valid network resources. |
OVAL test results detailsquery /proc/net/wireless
oval:ssg-test_wireless_disable_interfaces:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_wireless_disable_interfaces:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /proc/net/wireless | ^\s*[-\w]+: | 1 |
Disable Bluetooth Kernel Modulexccdf_org.ssgproject.content_rule_kernel_module_bluetooth_disabled mediumCCE-80832-9
Disable Bluetooth Kernel Module
| Rule ID | xccdf_org.ssgproject.content_rule_kernel_module_bluetooth_disabled |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-kernel_module_bluetooth_disabled:def:1 |
| Time | 2021-08-12T02:37:18+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-80832-9 References:
11, 12, 14, 15, 3, 8, 9, 5.13.1.3, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.04, DSS05.02, DSS05.03, DSS05.05, DSS06.06, 3.1.16, CCI-000085, CCI-001551, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.11.2.6, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.2.1, A.6.2.2, A.9.1.2, AC-18(a), AC-18(3), CM-7(a), CM-7(b), CM-6(a), MP-7, PR.AC-3, PR.IP-1, PR.PT-3, PR.PT-4, SRG-OS-000095-GPOS-00049, RHEL-08-040111, SV-230507r599732_rule |
| Description | The kernel's module loading system can be configured to prevent
loading of the Bluetooth module. Add the following to
the appropriate /etc/modprobe.d configuration file
to prevent the loading of the Bluetooth module:
install bluetooth /bin/true |
| Rationale | If Bluetooth functionality must be disabled, preventing the kernel
from loading the kernel module provides an additional safeguard against its
activation. |
OVAL test results detailskernel module bluetooth disabled
oval:ssg-test_kernmod_bluetooth_disabled:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/modprobe.d/"bluetooth".conf | install bluetooth /bin/true |
kernel module bluetooth disabled in /etc/modules-load.d
oval:ssg-test_kernmod_bluetooth_etcmodules-load:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_kernmod_bluetooth_etcmodules-load:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /etc/modules-load.d | ^.*\.conf$ | ^\s*install\s+bluetooth\s+(/bin/false|/bin/true)$ | 1 |
kernel module bluetooth disabled in /run/modules-load.d
oval:ssg-test_kernmod_bluetooth_runmodules-load:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_kernmod_bluetooth_runmodules-load:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /run/modules-load.d | ^.*\.conf$ | ^\s*install\s+bluetooth\s+(/bin/false|/bin/true)$ | 1 |
kernel module bluetooth disabled in /usr/lib/modules-load.d
oval:ssg-test_kernmod_bluetooth_libmodules-load:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_kernmod_bluetooth_libmodules-load:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /usr/lib/modules-load.d | ^.*\.conf$ | ^\s*install\s+bluetooth\s+(/bin/false|/bin/true)$ | 1 |
kernel module bluetooth disabled in /run/modprobe.d
oval:ssg-test_kernmod_bluetooth_runmodprobed:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_kernmod_bluetooth_runmodprobed:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /run/modprobe.d | ^.*\.conf$ | ^\s*install\s+bluetooth\s+(/bin/false|/bin/true)$ | 1 |
kernel module bluetooth disabled in /usr/lib/modprobe.d
oval:ssg-test_kernmod_bluetooth_libmodprobed:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_kernmod_bluetooth_libmodprobed:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /usr/lib/modprobe.d | ^.*\.conf$ | ^\s*install\s+bluetooth\s+(/bin/false|/bin/true)$ | 1 |
kernel module bluetooth disabled in /etc/modprobe.conf
oval:ssg-test_kernmod_bluetooth_modprobeconf:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_kernmod_bluetooth_modprobeconf:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/modprobe.conf | ^\s*install\s+bluetooth\s+(/bin/false|/bin/true)$ | 1 |
Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv6 Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_redirects mediumCCE-81010-1
Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv6 Interfaces
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_redirects |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sysctl_net_ipv6_conf_default_accept_redirects:def:1 |
| Time | 2021-08-12T02:37:19+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-81010-1 References:
BP28(R22), 3.3.2, 11, 14, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, 3.1.20, CCI-001551, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), PR.IP-1, PR.PT-3, SRG-OS-000480-GPOS-00227 |
| Description | To set the runtime status of the net.ipv6.conf.default.accept_redirects kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.default.accept_redirects=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv6.conf.default.accept_redirects = 0 |
| Rationale | An illicit ICMP redirect message could result in a man-in-the-middle attack. |
OVAL test results detailsnet.ipv6.conf.all.disable_ipv6 static configuration
oval:ssg-test_static_sysctl_net_ipv6_conf_all_disable_ipv6:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/sysctl.conf | ^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$ | 1 |
net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_etc_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_etc_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /etc/sysctl.d | ^.*\.conf$ | ^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$ | 1 |
net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_run_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_run_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /run/sysctl.d | ^.*\.conf$ | ^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$ | 1 |
net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_usr_lib_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_usr_lib_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /usr/lib/sysctl.d | ^.*\.conf$ | ^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$ | 1 |
kernel runtime parameter net.ipv6.conf.all.disable_ipv6 set to 1
oval:ssg-test_sysctl_runtime_net_ipv6_conf_all_disable_ipv6:tst:1
false
Following items have been found on the system:
| Name | Value |
|---|
| net.ipv6.conf.all.disable_ipv6 | 0 |
net.ipv6.conf.default.accept_redirects static configuration
oval:ssg-test_static_sysctl_net_ipv6_conf_default_accept_redirects:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/sysctl.conf | # For more information, see sysctl.conf(5) and sysctl.d(5).
kernel.kexec_load_disabled=1
fs.protected_symlinks=1
fs.protected_hardlinks=1
kernel.dmesg_restrict=1
kernel.perf_event_paranoid=2
kernel.randomize_va_space=2
kernel.core_pattern=|/bin/false
net.ipv6.conf.default.accept_redirects=0
|
net.ipv6.conf.default.accept_redirects static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_etc_sysctld_net_ipv6_conf_default_accept_redirects:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/sysctl.d/99-sysctl.conf | # For more information, see sysctl.conf(5) and sysctl.d(5).
kernel.kexec_load_disabled=1
fs.protected_symlinks=1
fs.protected_hardlinks=1
kernel.dmesg_restrict=1
kernel.perf_event_paranoid=2
kernel.randomize_va_space=2
kernel.core_pattern=|/bin/false
net.ipv6.conf.default.accept_redirects=0
|
net.ipv6.conf.default.accept_redirects static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_run_sysctld_net_ipv6_conf_default_accept_redirects:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_run_sysctld_net_ipv6_conf_default_accept_redirects:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /run/sysctl.d | ^.*\.conf$ | (?:^|.*\n)[^#]*net.ipv6.conf.default.accept_redirects[\s]*=[\s]*(\d+)[\s]*\n | 1 |
net.ipv6.conf.default.accept_redirects static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_usr_lib_sysctld_net_ipv6_conf_default_accept_redirects:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_usr_lib_sysctld_net_ipv6_conf_default_accept_redirects:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /usr/lib/sysctl.d | ^.*\.conf$ | (?:^|.*\n)[^#]*net.ipv6.conf.default.accept_redirects[\s]*=[\s]*(\d+)[\s]*\n | 1 |
kernel runtime parameter net.ipv6.conf.default.accept_redirects set to the appropriate value
oval:ssg-test_sysctl_runtime_net_ipv6_conf_default_accept_redirects:tst:1
true
Following items have been found on the system:
| Name | Value |
|---|
| net.ipv6.conf.default.accept_redirects | 0 |
Disable Accepting ICMP Redirects for All IPv6 Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_redirects mediumCCE-81009-3
Disable Accepting ICMP Redirects for All IPv6 Interfaces
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_redirects |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sysctl_net_ipv6_conf_all_accept_redirects:def:1 |
| Time | 2021-08-12T02:37:19+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-81009-3 References:
BP28(R22), 3.3.2, 11, 14, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, 3.1.20, CCI-001551, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), PR.IP-1, PR.PT-3, SRG-OS-000480-GPOS-00227 |
| Description | To set the runtime status of the net.ipv6.conf.all.accept_redirects kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.all.accept_redirects=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv6.conf.all.accept_redirects = 0 |
| Rationale | An illicit ICMP redirect message could result in a man-in-the-middle attack. |
OVAL test results detailsnet.ipv6.conf.all.disable_ipv6 static configuration
oval:ssg-test_static_sysctl_net_ipv6_conf_all_disable_ipv6:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/sysctl.conf | ^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$ | 1 |
net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_etc_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_etc_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /etc/sysctl.d | ^.*\.conf$ | ^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$ | 1 |
net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_run_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_run_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /run/sysctl.d | ^.*\.conf$ | ^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$ | 1 |
net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_usr_lib_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_usr_lib_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /usr/lib/sysctl.d | ^.*\.conf$ | ^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$ | 1 |
kernel runtime parameter net.ipv6.conf.all.disable_ipv6 set to 1
oval:ssg-test_sysctl_runtime_net_ipv6_conf_all_disable_ipv6:tst:1
false
Following items have been found on the system:
| Name | Value |
|---|
| net.ipv6.conf.all.disable_ipv6 | 0 |
net.ipv6.conf.all.accept_redirects static configuration
oval:ssg-test_static_sysctl_net_ipv6_conf_all_accept_redirects:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/sysctl.conf | # For more information, see sysctl.conf(5) and sysctl.d(5).
kernel.kexec_load_disabled=1
fs.protected_symlinks=1
fs.protected_hardlinks=1
kernel.dmesg_restrict=1
kernel.perf_event_paranoid=2
kernel.randomize_va_space=2
kernel.core_pattern=|/bin/false
net.ipv6.conf.default.accept_redirects=0
net.ipv4.conf.all.send_redirects=0
net.ipv4.icmp_echo_ignore_broadcasts=1
net.ipv6.conf.all.accept_source_route=0
net.ipv6.conf.default.accept_source_route=0
net.ipv4.ip_forward=0
net.ipv6.conf.all.forwarding=0
net.ipv6.conf.all.accept_ra=0
net.ipv6.conf.default.accept_ra=0
net.ipv4.conf.default.send_redirects=0
net.ipv6.conf.all.accept_redirects=0
|
net.ipv6.conf.all.accept_redirects static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_etc_sysctld_net_ipv6_conf_all_accept_redirects:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/sysctl.d/99-sysctl.conf | # For more information, see sysctl.conf(5) and sysctl.d(5).
kernel.kexec_load_disabled=1
fs.protected_symlinks=1
fs.protected_hardlinks=1
kernel.dmesg_restrict=1
kernel.perf_event_paranoid=2
kernel.randomize_va_space=2
kernel.core_pattern=|/bin/false
net.ipv6.conf.default.accept_redirects=0
net.ipv4.conf.all.send_redirects=0
net.ipv4.icmp_echo_ignore_broadcasts=1
net.ipv6.conf.all.accept_source_route=0
net.ipv6.conf.default.accept_source_route=0
net.ipv4.ip_forward=0
net.ipv6.conf.all.forwarding=0
net.ipv6.conf.all.accept_ra=0
net.ipv6.conf.default.accept_ra=0
net.ipv4.conf.default.send_redirects=0
net.ipv6.conf.all.accept_redirects=0
|
net.ipv6.conf.all.accept_redirects static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_run_sysctld_net_ipv6_conf_all_accept_redirects:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_run_sysctld_net_ipv6_conf_all_accept_redirects:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /run/sysctl.d | ^.*\.conf$ | (?:^|.*\n)[^#]*net.ipv6.conf.all.accept_redirects[\s]*=[\s]*(\d+)[\s]*\n | 1 |
net.ipv6.conf.all.accept_redirects static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_usr_lib_sysctld_net_ipv6_conf_all_accept_redirects:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_usr_lib_sysctld_net_ipv6_conf_all_accept_redirects:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /usr/lib/sysctl.d | ^.*\.conf$ | (?:^|.*\n)[^#]*net.ipv6.conf.all.accept_redirects[\s]*=[\s]*(\d+)[\s]*\n | 1 |
kernel runtime parameter net.ipv6.conf.all.accept_redirects set to the appropriate value
oval:ssg-test_sysctl_runtime_net_ipv6_conf_all_accept_redirects:tst:1
true
Following items have been found on the system:
| Name | Value |
|---|
| net.ipv6.conf.all.accept_redirects | 0 |
Disable Kernel Parameter for Accepting Source-Routed Packets on IPv6 Interfaces by Defaultxccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_source_route mediumCCE-81015-0
Disable Kernel Parameter for Accepting Source-Routed Packets on IPv6 Interfaces by Default
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_source_route |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sysctl_net_ipv6_conf_default_accept_source_route:def:1 |
| Time | 2021-08-12T02:37:19+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-81015-0 References:
BP28(R22), 3.2.1, 1, 12, 13, 14, 15, 16, 18, 4, 6, 8, 9, APO01.06, APO13.01, DSS01.05, DSS03.01, DSS05.02, DSS05.04, DSS05.07, DSS06.02, 3.1.20, CCI-000366, 4.2.3.4, 4.3.3.4, 4.4.3.3, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-7(a), CM-7(b), CM-6(a), DE.AE-1, ID.AM-3, PR.AC-5, PR.DS-5, PR.PT-4, SRG-OS-000480-GPOS-00227 |
| Description | To set the runtime status of the net.ipv6.conf.default.accept_source_route kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.default.accept_source_route=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv6.conf.default.accept_source_route = 0 |
| Rationale | Source-routed packets allow the source of the packet to suggest routers
forward the packet along a different path than configured on the router, which can
be used to bypass network security measures. This requirement applies only to the
forwarding of source-routerd traffic, such as when IPv6 forwarding is enabled and
the system is functioning as a router.
Accepting source-routed packets in the IPv6 protocol has few legitimate
uses. It should be disabled unless it is absolutely required. |
OVAL test results detailsnet.ipv6.conf.all.disable_ipv6 static configuration
oval:ssg-test_static_sysctl_net_ipv6_conf_all_disable_ipv6:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/sysctl.conf | ^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$ | 1 |
net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_etc_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_etc_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /etc/sysctl.d | ^.*\.conf$ | ^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$ | 1 |
net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_run_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_run_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /run/sysctl.d | ^.*\.conf$ | ^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$ | 1 |
net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_usr_lib_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_usr_lib_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /usr/lib/sysctl.d | ^.*\.conf$ | ^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$ | 1 |
kernel runtime parameter net.ipv6.conf.all.disable_ipv6 set to 1
oval:ssg-test_sysctl_runtime_net_ipv6_conf_all_disable_ipv6:tst:1
false
Following items have been found on the system:
| Name | Value |
|---|
| net.ipv6.conf.all.disable_ipv6 | 0 |
net.ipv6.conf.default.accept_source_route static configuration
oval:ssg-test_static_sysctl_net_ipv6_conf_default_accept_source_route:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/sysctl.conf | # For more information, see sysctl.conf(5) and sysctl.d(5).
kernel.kexec_load_disabled=1
fs.protected_symlinks=1
fs.protected_hardlinks=1
kernel.dmesg_restrict=1
kernel.perf_event_paranoid=2
kernel.randomize_va_space=2
kernel.core_pattern=|/bin/false
net.ipv6.conf.default.accept_redirects=0
net.ipv4.conf.all.send_redirects=0
net.ipv4.icmp_echo_ignore_broadcasts=1
net.ipv6.conf.all.accept_source_route=0
net.ipv6.conf.default.accept_source_route=0
|
net.ipv6.conf.default.accept_source_route static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_etc_sysctld_net_ipv6_conf_default_accept_source_route:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/sysctl.d/99-sysctl.conf | # For more information, see sysctl.conf(5) and sysctl.d(5).
kernel.kexec_load_disabled=1
fs.protected_symlinks=1
fs.protected_hardlinks=1
kernel.dmesg_restrict=1
kernel.perf_event_paranoid=2
kernel.randomize_va_space=2
kernel.core_pattern=|/bin/false
net.ipv6.conf.default.accept_redirects=0
net.ipv4.conf.all.send_redirects=0
net.ipv4.icmp_echo_ignore_broadcasts=1
net.ipv6.conf.all.accept_source_route=0
net.ipv6.conf.default.accept_source_route=0
|
net.ipv6.conf.default.accept_source_route static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_run_sysctld_net_ipv6_conf_default_accept_source_route:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_run_sysctld_net_ipv6_conf_default_accept_source_route:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /run/sysctl.d | ^.*\.conf$ | (?:^|.*\n)[^#]*net.ipv6.conf.default.accept_source_route[\s]*=[\s]*(\d+)[\s]*\n | 1 |
net.ipv6.conf.default.accept_source_route static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_usr_lib_sysctld_net_ipv6_conf_default_accept_source_route:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_usr_lib_sysctld_net_ipv6_conf_default_accept_source_route:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /usr/lib/sysctl.d | ^.*\.conf$ | (?:^|.*\n)[^#]*net.ipv6.conf.default.accept_source_route[\s]*=[\s]*(\d+)[\s]*\n | 1 |
kernel runtime parameter net.ipv6.conf.default.accept_source_route set to the appropriate value
oval:ssg-test_sysctl_runtime_net_ipv6_conf_default_accept_source_route:tst:1
true
Following items have been found on the system:
| Name | Value |
|---|
| net.ipv6.conf.default.accept_source_route | 0 |
Configure Accepting Router Advertisements on All IPv6 Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra mediumCCE-81006-9
Configure Accepting Router Advertisements on All IPv6 Interfaces
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sysctl_net_ipv6_conf_all_accept_ra:def:1 |
| Time | 2021-08-12T02:37:19+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-81006-9 References:
3.2.9, 11, 14, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, 3.1.20, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), PR.IP-1, PR.PT-3, SRG-OS-000480-GPOS-00227, RHEL-08-040261, SV-230541r599732_rule |
| Description | To set the runtime status of the net.ipv6.conf.all.accept_ra kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.all.accept_ra=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv6.conf.all.accept_ra = 0 |
| Rationale | An illicit router advertisement message could result in a man-in-the-middle attack. |
OVAL test results detailsnet.ipv6.conf.all.disable_ipv6 static configuration
oval:ssg-test_static_sysctl_net_ipv6_conf_all_disable_ipv6:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/sysctl.conf | ^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$ | 1 |
net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_etc_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_etc_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /etc/sysctl.d | ^.*\.conf$ | ^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$ | 1 |
net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_run_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_run_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /run/sysctl.d | ^.*\.conf$ | ^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$ | 1 |
net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_usr_lib_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_usr_lib_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /usr/lib/sysctl.d | ^.*\.conf$ | ^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$ | 1 |
kernel runtime parameter net.ipv6.conf.all.disable_ipv6 set to 1
oval:ssg-test_sysctl_runtime_net_ipv6_conf_all_disable_ipv6:tst:1
false
Following items have been found on the system:
| Name | Value |
|---|
| net.ipv6.conf.all.disable_ipv6 | 0 |
net.ipv6.conf.all.accept_ra static configuration
oval:ssg-test_static_sysctl_net_ipv6_conf_all_accept_ra:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/sysctl.conf | # For more information, see sysctl.conf(5) and sysctl.d(5).
kernel.kexec_load_disabled=1
fs.protected_symlinks=1
fs.protected_hardlinks=1
kernel.dmesg_restrict=1
kernel.perf_event_paranoid=2
kernel.randomize_va_space=2
kernel.core_pattern=|/bin/false
net.ipv6.conf.default.accept_redirects=0
net.ipv4.conf.all.send_redirects=0
net.ipv4.icmp_echo_ignore_broadcasts=1
net.ipv6.conf.all.accept_source_route=0
net.ipv6.conf.default.accept_source_route=0
net.ipv4.ip_forward=0
net.ipv6.conf.all.forwarding=0
net.ipv6.conf.all.accept_ra=0
|
net.ipv6.conf.all.accept_ra static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_etc_sysctld_net_ipv6_conf_all_accept_ra:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/sysctl.d/99-sysctl.conf | # For more information, see sysctl.conf(5) and sysctl.d(5).
kernel.kexec_load_disabled=1
fs.protected_symlinks=1
fs.protected_hardlinks=1
kernel.dmesg_restrict=1
kernel.perf_event_paranoid=2
kernel.randomize_va_space=2
kernel.core_pattern=|/bin/false
net.ipv6.conf.default.accept_redirects=0
net.ipv4.conf.all.send_redirects=0
net.ipv4.icmp_echo_ignore_broadcasts=1
net.ipv6.conf.all.accept_source_route=0
net.ipv6.conf.default.accept_source_route=0
net.ipv4.ip_forward=0
net.ipv6.conf.all.forwarding=0
net.ipv6.conf.all.accept_ra=0
|
net.ipv6.conf.all.accept_ra static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_run_sysctld_net_ipv6_conf_all_accept_ra:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_run_sysctld_net_ipv6_conf_all_accept_ra:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /run/sysctl.d | ^.*\.conf$ | (?:^|.*\n)[^#]*net.ipv6.conf.all.accept_ra[\s]*=[\s]*(\d+)[\s]*\n | 1 |
net.ipv6.conf.all.accept_ra static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_usr_lib_sysctld_net_ipv6_conf_all_accept_ra:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_usr_lib_sysctld_net_ipv6_conf_all_accept_ra:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /usr/lib/sysctl.d | ^.*\.conf$ | (?:^|.*\n)[^#]*net.ipv6.conf.all.accept_ra[\s]*=[\s]*(\d+)[\s]*\n | 1 |
kernel runtime parameter net.ipv6.conf.all.accept_ra set to the appropriate value
oval:ssg-test_sysctl_runtime_net_ipv6_conf_all_accept_ra:tst:1
true
Following items have been found on the system:
| Name | Value |
|---|
| net.ipv6.conf.all.accept_ra | 0 |
Disable Accepting Router Advertisements on all IPv6 Interfaces by Defaultxccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_ra mediumCCE-81007-7
Disable Accepting Router Advertisements on all IPv6 Interfaces by Default
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_ra |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sysctl_net_ipv6_conf_default_accept_ra:def:1 |
| Time | 2021-08-12T02:37:19+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-81007-7 References:
3.2.9, 11, 14, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, 3.1.20, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), PR.IP-1, PR.PT-3, SRG-OS-000480-GPOS-00227, RHEL-08-040262, SV-230542r599732_rule |
| Description | To set the runtime status of the net.ipv6.conf.default.accept_ra kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.default.accept_ra=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv6.conf.default.accept_ra = 0 |
| Rationale | An illicit router advertisement message could result in a man-in-the-middle attack. |
OVAL test results detailsnet.ipv6.conf.all.disable_ipv6 static configuration
oval:ssg-test_static_sysctl_net_ipv6_conf_all_disable_ipv6:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/sysctl.conf | ^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$ | 1 |
net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_etc_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_etc_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /etc/sysctl.d | ^.*\.conf$ | ^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$ | 1 |
net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_run_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_run_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /run/sysctl.d | ^.*\.conf$ | ^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$ | 1 |
net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_usr_lib_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_usr_lib_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /usr/lib/sysctl.d | ^.*\.conf$ | ^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$ | 1 |
kernel runtime parameter net.ipv6.conf.all.disable_ipv6 set to 1
oval:ssg-test_sysctl_runtime_net_ipv6_conf_all_disable_ipv6:tst:1
false
Following items have been found on the system:
| Name | Value |
|---|
| net.ipv6.conf.all.disable_ipv6 | 0 |
net.ipv6.conf.default.accept_ra static configuration
oval:ssg-test_static_sysctl_net_ipv6_conf_default_accept_ra:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/sysctl.conf | # For more information, see sysctl.conf(5) and sysctl.d(5).
kernel.kexec_load_disabled=1
fs.protected_symlinks=1
fs.protected_hardlinks=1
kernel.dmesg_restrict=1
kernel.perf_event_paranoid=2
kernel.randomize_va_space=2
kernel.core_pattern=|/bin/false
net.ipv6.conf.default.accept_redirects=0
net.ipv4.conf.all.send_redirects=0
net.ipv4.icmp_echo_ignore_broadcasts=1
net.ipv6.conf.all.accept_source_route=0
net.ipv6.conf.default.accept_source_route=0
net.ipv4.ip_forward=0
net.ipv6.conf.all.forwarding=0
net.ipv6.conf.all.accept_ra=0
net.ipv6.conf.default.accept_ra=0
|
net.ipv6.conf.default.accept_ra static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_etc_sysctld_net_ipv6_conf_default_accept_ra:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/sysctl.d/99-sysctl.conf | # For more information, see sysctl.conf(5) and sysctl.d(5).
kernel.kexec_load_disabled=1
fs.protected_symlinks=1
fs.protected_hardlinks=1
kernel.dmesg_restrict=1
kernel.perf_event_paranoid=2
kernel.randomize_va_space=2
kernel.core_pattern=|/bin/false
net.ipv6.conf.default.accept_redirects=0
net.ipv4.conf.all.send_redirects=0
net.ipv4.icmp_echo_ignore_broadcasts=1
net.ipv6.conf.all.accept_source_route=0
net.ipv6.conf.default.accept_source_route=0
net.ipv4.ip_forward=0
net.ipv6.conf.all.forwarding=0
net.ipv6.conf.all.accept_ra=0
net.ipv6.conf.default.accept_ra=0
|
net.ipv6.conf.default.accept_ra static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_run_sysctld_net_ipv6_conf_default_accept_ra:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_run_sysctld_net_ipv6_conf_default_accept_ra:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /run/sysctl.d | ^.*\.conf$ | (?:^|.*\n)[^#]*net.ipv6.conf.default.accept_ra[\s]*=[\s]*(\d+)[\s]*\n | 1 |
net.ipv6.conf.default.accept_ra static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_usr_lib_sysctld_net_ipv6_conf_default_accept_ra:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_usr_lib_sysctld_net_ipv6_conf_default_accept_ra:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /usr/lib/sysctl.d | ^.*\.conf$ | (?:^|.*\n)[^#]*net.ipv6.conf.default.accept_ra[\s]*=[\s]*(\d+)[\s]*\n | 1 |
kernel runtime parameter net.ipv6.conf.default.accept_ra set to the appropriate value
oval:ssg-test_sysctl_runtime_net_ipv6_conf_default_accept_ra:tst:1
true
Following items have been found on the system:
| Name | Value |
|---|
| net.ipv6.conf.default.accept_ra | 0 |
Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv6 Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_source_route mediumCCE-81013-5
Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv6 Interfaces
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_source_route |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sysctl_net_ipv6_conf_all_accept_source_route:def:1 |
| Time | 2021-08-12T02:37:19+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-81013-5 References:
BP28(R22), 3.2.1, 1, 12, 13, 14, 15, 16, 18, 4, 6, 8, 9, APO01.06, APO13.01, DSS01.05, DSS03.01, DSS05.02, DSS05.04, DSS05.07, DSS06.02, 3.1.20, CCI-000366, 4.2.3.4, 4.3.3.4, 4.4.3.3, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-7(a), CM-7(b), CM-6(a), DE.AE-1, ID.AM-3, PR.AC-5, PR.DS-5, PR.PT-4, SRG-OS-000480-GPOS-00227 |
| Description | To set the runtime status of the net.ipv6.conf.all.accept_source_route kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.all.accept_source_route=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv6.conf.all.accept_source_route = 0 |
| Rationale | Source-routed packets allow the source of the packet to suggest routers
forward the packet along a different path than configured on the router, which can
be used to bypass network security measures. This requirement applies only to the
forwarding of source-routerd traffic, such as when IPv6 forwarding is enabled and
the system is functioning as a router.
Accepting source-routed packets in the IPv6 protocol has few legitimate
uses. It should be disabled unless it is absolutely required. |
OVAL test results detailsnet.ipv6.conf.all.disable_ipv6 static configuration
oval:ssg-test_static_sysctl_net_ipv6_conf_all_disable_ipv6:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/sysctl.conf | ^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$ | 1 |
net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_etc_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_etc_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /etc/sysctl.d | ^.*\.conf$ | ^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$ | 1 |
net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_run_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_run_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /run/sysctl.d | ^.*\.conf$ | ^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$ | 1 |
net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_usr_lib_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_usr_lib_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /usr/lib/sysctl.d | ^.*\.conf$ | ^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$ | 1 |
kernel runtime parameter net.ipv6.conf.all.disable_ipv6 set to 1
oval:ssg-test_sysctl_runtime_net_ipv6_conf_all_disable_ipv6:tst:1
false
Following items have been found on the system:
| Name | Value |
|---|
| net.ipv6.conf.all.disable_ipv6 | 0 |
net.ipv6.conf.all.accept_source_route static configuration
oval:ssg-test_static_sysctl_net_ipv6_conf_all_accept_source_route:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/sysctl.conf | # For more information, see sysctl.conf(5) and sysctl.d(5).
kernel.kexec_load_disabled=1
fs.protected_symlinks=1
fs.protected_hardlinks=1
kernel.dmesg_restrict=1
kernel.perf_event_paranoid=2
kernel.randomize_va_space=2
kernel.core_pattern=|/bin/false
net.ipv6.conf.default.accept_redirects=0
net.ipv4.conf.all.send_redirects=0
net.ipv4.icmp_echo_ignore_broadcasts=1
net.ipv6.conf.all.accept_source_route=0
|
net.ipv6.conf.all.accept_source_route static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_etc_sysctld_net_ipv6_conf_all_accept_source_route:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/sysctl.d/99-sysctl.conf | # For more information, see sysctl.conf(5) and sysctl.d(5).
kernel.kexec_load_disabled=1
fs.protected_symlinks=1
fs.protected_hardlinks=1
kernel.dmesg_restrict=1
kernel.perf_event_paranoid=2
kernel.randomize_va_space=2
kernel.core_pattern=|/bin/false
net.ipv6.conf.default.accept_redirects=0
net.ipv4.conf.all.send_redirects=0
net.ipv4.icmp_echo_ignore_broadcasts=1
net.ipv6.conf.all.accept_source_route=0
|
net.ipv6.conf.all.accept_source_route static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_run_sysctld_net_ipv6_conf_all_accept_source_route:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_run_sysctld_net_ipv6_conf_all_accept_source_route:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /run/sysctl.d | ^.*\.conf$ | (?:^|.*\n)[^#]*net.ipv6.conf.all.accept_source_route[\s]*=[\s]*(\d+)[\s]*\n | 1 |
net.ipv6.conf.all.accept_source_route static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_usr_lib_sysctld_net_ipv6_conf_all_accept_source_route:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_usr_lib_sysctld_net_ipv6_conf_all_accept_source_route:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /usr/lib/sysctl.d | ^.*\.conf$ | (?:^|.*\n)[^#]*net.ipv6.conf.all.accept_source_route[\s]*=[\s]*(\d+)[\s]*\n | 1 |
kernel runtime parameter net.ipv6.conf.all.accept_source_route set to the appropriate value
oval:ssg-test_sysctl_runtime_net_ipv6_conf_all_accept_source_route:tst:1
true
Following items have been found on the system:
| Name | Value |
|---|
| net.ipv6.conf.all.accept_source_route | 0 |
Install firewalld Packagexccdf_org.ssgproject.content_rule_package_firewalld_installed mediumCCE-82998-6
Install firewalld Package
| Rule ID | xccdf_org.ssgproject.content_rule_package_firewalld_installed |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-package_firewalld_installed:def:1 |
| Time | 2021-08-12T02:37:19+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-82998-6 References:
3.4.1.1, CM-6(a), SRG-OS-000480-GPOS-00227, SRG-OS-000298-GPOS-00116 |
| Description | The firewalld package can be installed with the following command:
$ sudo yum install firewalld |
| Rationale | The firewalld package should be installed to provide access control methods. |
OVAL test results detailspackage firewalld is installed
oval:ssg-test_package_firewalld_installed:tst:1
true
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| firewalld | noarch | (none) | 7.el8_4 | 0.8.2 | 0:0.8.2-7.el8_4 | 199e2f91fd431d51 | firewalld-0:0.8.2-7.el8_4.noarch |
Verify firewalld Enabledxccdf_org.ssgproject.content_rule_service_firewalld_enabled mediumCCE-80877-4
Verify firewalld Enabled
| Rule ID | xccdf_org.ssgproject.content_rule_service_firewalld_enabled |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-service_firewalld_enabled:def:1 |
| Time | 2021-08-12T02:37:19+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-80877-4 References:
3.4.2.1, 11, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, 3.1.3, 3.4.7, CCI-000366, 4.3.4.3.2, 4.3.4.3.3, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, AC-4, CM-7(b), CA-3(5), SC-7(21), CM-6(a), PR.IP-1, FMT_MOF_EXT.1, SRG-OS-000480-GPOS-00227, SRG-OS-000480-GPOS-00231, SRG-OS-000480-GPOS-00232, RHEL-08-040100, SV-230505r599732_rule |
| Description | The firewalld service can be enabled with the following command: $ sudo systemctl enable firewalld.service |
| Rationale | Access control methods provide the ability to enhance system security posture
by restricting services and known good IP addresses and address ranges. This
prevents connections from unknown hosts and protocols. |
OVAL test results detailspackage firewalld is installed
oval:ssg-test_service_firewalld_package_firewalld_installed:tst:1
true
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| firewalld | noarch | (none) | 7.el8_4 | 0.8.2 | 0:0.8.2-7.el8_4 | 199e2f91fd431d51 | firewalld-0:0.8.2-7.el8_4.noarch |
Test that the firewalld service is running
oval:ssg-test_service_running_firewalld:tst:1
true
Following items have been found on the system:
| Unit | Property | Value |
|---|
| firewalld.service | ActiveState | active |
systemd test
oval:ssg-test_multi_user_wants_firewalld:tst:1
true
Following items have been found on the system:
| Unit | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency |
|---|
| multi-user.target | basic.target | sysinit.target | selinux-autorelabel-mark.service | systemd-ask-password-console.path | systemd-journald.service | sys-fs-fuse-connections.mount | systemd-udevd.service | systemd-binfmt.service | dev-hugepages.mount | loadmodules.service | swap.target | dev-mapper-vg0\x2dlv_swap.swap | systemd-journal-flush.service | systemd-machine-id-commit.service | systemd-update-done.service | sys-kernel-config.mount | dracut-shutdown.service | rngd.service | systemd-sysusers.service | lvm2-lvmpolld.socket | kmod-static-nodes.service | proc-sys-fs-binfmt_misc.automount | local-fs.target | -.mount | home.mount | tmp.mount | var-log-audit.mount | opt.mount | systemd-remount-fs.service | root.mount | var-log.mount | var-tmp.mount | var.mount | systemd-random-seed.service | systemd-update-utmp.service | dev-mqueue.mount | lvm2-monitor.service | import-state.service | systemd-firstboot.service | systemd-tmpfiles-setup-dev.service | systemd-tmpfiles-setup.service | systemd-sysctl.service | cryptsetup.target | systemd-modules-load.service | systemd-journal-catalog-update.service | nis-domainname.service | systemd-udev-trigger.service | ldconfig.service | sys-kernel-debug.mount | systemd-hwdb-update.service | paths.target | sockets.target | systemd-journald.socket | pcscd.socket | systemd-coredump.socket | dm-event.socket | systemd-journald-dev-log.socket | systemd-udevd-kernel.socket | systemd-initctl.socket | dbus.socket | systemd-udevd-control.socket | sssd-kcm.socket | timers.target | unbound-anchor.timer | systemd-tmpfiles-clean.timer | microcode.service | usbguard.service | slices.target | system.slice | -.slice | systemd-logind.service | systemd-update-utmp-runlevel.service | amazon-ssm-agent.service | getty.target | getty@tty1.service | serial-getty@ttyS0.service | remote-fs.target | sshd.service | sssd.service | dnf-makecache.timer | cloud-init.target | cloud-config.service | cloud-init-local.service | cloud-final.service | cloud-init.service | fapolicyd.service | firewalld.service | systemd-ask-password-wall.path | NetworkManager.service | chronyd.service | rsyslog.service | crond.service | vmtoolsd.service | systemd-user-sessions.service | irqbalance.service | dbus.service | auditd.service |
systemd test
oval:ssg-test_multi_user_wants_firewalld_socket:tst:1
false
Following items have been found on the system:
| Unit | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency |
|---|
| multi-user.target | basic.target | sysinit.target | selinux-autorelabel-mark.service | systemd-ask-password-console.path | systemd-journald.service | sys-fs-fuse-connections.mount | systemd-udevd.service | systemd-binfmt.service | dev-hugepages.mount | loadmodules.service | swap.target | dev-mapper-vg0\x2dlv_swap.swap | systemd-journal-flush.service | systemd-machine-id-commit.service | systemd-update-done.service | sys-kernel-config.mount | dracut-shutdown.service | rngd.service | systemd-sysusers.service | lvm2-lvmpolld.socket | kmod-static-nodes.service | proc-sys-fs-binfmt_misc.automount | local-fs.target | -.mount | home.mount | tmp.mount | var-log-audit.mount | opt.mount | systemd-remount-fs.service | root.mount | var-log.mount | var-tmp.mount | var.mount | systemd-random-seed.service | systemd-update-utmp.service | dev-mqueue.mount | lvm2-monitor.service | import-state.service | systemd-firstboot.service | systemd-tmpfiles-setup-dev.service | systemd-tmpfiles-setup.service | systemd-sysctl.service | cryptsetup.target | systemd-modules-load.service | systemd-journal-catalog-update.service | nis-domainname.service | systemd-udev-trigger.service | ldconfig.service | sys-kernel-debug.mount | systemd-hwdb-update.service | paths.target | sockets.target | systemd-journald.socket | pcscd.socket | systemd-coredump.socket | dm-event.socket | systemd-journald-dev-log.socket | systemd-udevd-kernel.socket | systemd-initctl.socket | dbus.socket | systemd-udevd-control.socket | sssd-kcm.socket | timers.target | unbound-anchor.timer | systemd-tmpfiles-clean.timer | microcode.service | usbguard.service | slices.target | system.slice | -.slice | systemd-logind.service | systemd-update-utmp-runlevel.service | amazon-ssm-agent.service | getty.target | getty@tty1.service | serial-getty@ttyS0.service | remote-fs.target | sshd.service | sssd.service | dnf-makecache.timer | cloud-init.target | cloud-config.service | cloud-init-local.service | cloud-final.service | cloud-init.service | fapolicyd.service | firewalld.service | systemd-ask-password-wall.path | NetworkManager.service | chronyd.service | rsyslog.service | crond.service | vmtoolsd.service | systemd-user-sessions.service | irqbalance.service | dbus.service | auditd.service |
Configure the Firewalld Portsxccdf_org.ssgproject.content_rule_configure_firewalld_ports mediumCCE-84300-3
Configure the Firewalld Ports
| Rule ID | xccdf_org.ssgproject.content_rule_configure_firewalld_ports |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-configure_firewalld_ports:def:1 |
| Time | 2021-08-12T02:37:19+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-84300-3 References:
11, 12, 14, 15, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.04, DSS05.02, DSS05.03, DSS05.05, DSS06.06, CCI-000382, CCI-002314, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, 1416, A.11.2.6, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.2.1, A.6.2.2, A.9.1.2, AC-4, CM-7(b), CA-3(5), SC-7(21), CM-6(a), PR.AC-3, PR.IP-1, PR.PT-3, PR.PT-4, SRG-OS-000096-GPOS-00050, SRG-OS-000297-GPOS-00115, RHEL-08-040030, SV-230500r599732_rule, SRG-OS-000096-VMM-000490, SRG-OS-000480-VMM-002000 |
| Description | Configure the firewalld ports to allow approved
services to have access to the system. To configure firewalld
to open ports, run the following command:
$ sudo firewall-cmd --permanent --add-port=port_number/tcp
or
$ sudo firewall-cmd --permanent --add-port=service_name
Run the command list above for each of the ports listed below:
To configure firewalld to allow access, run the following command(s):
firewall-cmd --permanent --add-service=ssh |
| Rationale | In order to prevent unauthorized connection of devices, unauthorized
transfer of information, or unauthorized tunneling (i.e., embedding of data
types within data types), organizations must disable or restrict unused or
unnecessary physical and logical ports/protocols on information systems.
Operating systems are capable of providing a wide variety of functions and
services. Some of the functions and services provided by default may not be
necessary to support essential organizational operations.
Additionally, it is sometimes convenient to provide multiple services from
a single component (e.g., VPN and IPS); however, doing so increases risk
over limiting the services provided by any one component.
To support the requirements and principles of least functionality, the
operating system must support the organizational requirements, providing
only essential capabilities and limiting the use of ports, protocols,
and/or services to only those required, authorized, and approved to conduct
official business or to address authorized quality of life issues. |
|
OVAL test results detailsssh service is enabled in services
oval:ssg-test_firewalld_service_sshd_enabled:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_firewalld_service_sshd_enabled:obj:1 of type
xmlfilecontent_object
| Path | Filename | Xpath |
|---|
| /etc/firewalld/services | ^.*\.xml$ | /service/service[@name='ssh'] |
ssh port is enabled in services
oval:ssg-test_firewalld_service_sshd_port_enabled:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_firewalld_service_sshd_port_enabled:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /etc/firewalld/services | ^.*\.xml$ | <port.*port="(\d+)" | 1 |
ssh service is enabled in zones
oval:ssg-test_firewalld_zone_sshd_enabled:tst:1
true
Following items have been found on the system:
| Filepath | Path | Filename | Xpath |
|---|
| /etc/firewalld/zones/public.xml | /etc/firewalld/zones | public.xml | /zone/service[@name='ssh'] |
ssh service is enabled in zones
oval:ssg-test_nic_assigned_to_sshd_enabled_zone:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_zones_with_nics:obj:1 of type
xmlfilecontent_object
| Path | Filename | Xpath |
|---|
| Referenced variable has no values (oval:ssg-var_firewalld_zones_with_assigned_nics:var:1). | /etc/firewalld/zones | /zone/service[@name='ssh'] |
ssh port is enabled in zones
oval:ssg-test_firewalld_zone_sshd_port_enabled:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_firewalld_zone_sshd_port_enabled:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /etc/firewalld/zones | ^.*\.xml$ | <port.*port="(\d+)" | 1 |
Disable IEEE 1394 (FireWire) Supportxccdf_org.ssgproject.content_rule_kernel_module_firewire-core_disabled mediumCCE-82005-0
Disable IEEE 1394 (FireWire) Support
| Rule ID | xccdf_org.ssgproject.content_rule_kernel_module_firewire-core_disabled |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-kernel_module_firewire-core_disabled:def:1 |
| Time | 2021-08-12T02:37:19+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-82005-0 References:
FMT_SMF_EXT.1, SRG-OS-000095-GPOS-00049, RHEL-08-040026, SV-230499r599732_rule |
| Description | The IEEE 1394 (FireWire) is a serial bus standard for
high-speed real-time communication.
To configure the system to prevent the firewire-core
kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d:
install firewire-core /bin/true |
| Rationale | Disabling FireWire protects the system against exploitation of any
flaws in its implementation. |
OVAL test results detailskernel module firewire-core disabled
oval:ssg-test_kernmod_firewire-core_disabled:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/modprobe.d/"firewire-core".conf | install firewire-core /bin/true |
kernel module firewire-core disabled in /etc/modules-load.d
oval:ssg-test_kernmod_firewire-core_etcmodules-load:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_kernmod_firewire-core_etcmodules-load:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /etc/modules-load.d | ^.*\.conf$ | ^\s*install\s+firewire-core\s+(/bin/false|/bin/true)$ | 1 |
kernel module firewire-core disabled in /run/modules-load.d
oval:ssg-test_kernmod_firewire-core_runmodules-load:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_kernmod_firewire-core_runmodules-load:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /run/modules-load.d | ^.*\.conf$ | ^\s*install\s+firewire-core\s+(/bin/false|/bin/true)$ | 1 |
kernel module firewire-core disabled in /usr/lib/modules-load.d
oval:ssg-test_kernmod_firewire-core_libmodules-load:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_kernmod_firewire-core_libmodules-load:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /usr/lib/modules-load.d | ^.*\.conf$ | ^\s*install\s+firewire-core\s+(/bin/false|/bin/true)$ | 1 |
kernel module firewire-core disabled in /run/modprobe.d
oval:ssg-test_kernmod_firewire-core_runmodprobed:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_kernmod_firewire-core_runmodprobed:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /run/modprobe.d | ^.*\.conf$ | ^\s*install\s+firewire-core\s+(/bin/false|/bin/true)$ | 1 |
kernel module firewire-core disabled in /usr/lib/modprobe.d
oval:ssg-test_kernmod_firewire-core_libmodprobed:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_kernmod_firewire-core_libmodprobed:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /usr/lib/modprobe.d | ^.*\.conf$ | ^\s*install\s+firewire-core\s+(/bin/false|/bin/true)$ | 1 |
kernel module firewire-core disabled in /etc/modprobe.conf
oval:ssg-test_kernmod_firewire-core_modprobeconf:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_kernmod_firewire-core_modprobeconf:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/modprobe.conf | ^\s*install\s+firewire-core\s+(/bin/false|/bin/true)$ | 1 |
Disable ATM Supportxccdf_org.ssgproject.content_rule_kernel_module_atm_disabled mediumCCE-82028-2
Disable ATM Support
| Rule ID | xccdf_org.ssgproject.content_rule_kernel_module_atm_disabled |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-kernel_module_atm_disabled:def:1 |
| Time | 2021-08-12T02:37:19+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-82028-2 References:
FMT_SMF_EXT.1, SRG-OS-000095-GPOS-00049, RHEL-08-040021, SV-230494r599732_rule |
| Description | The Asynchronous Transfer Mode (ATM) is a protocol operating on
network, data link, and physical layers, based on virtual circuits
and virtual paths.
To configure the system to prevent the atm
kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d:
install atm /bin/true |
| Rationale | Disabling ATM protects the system against exploitation of any
flaws in its implementation. |
OVAL test results detailskernel module atm disabled
oval:ssg-test_kernmod_atm_disabled:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/modprobe.d/"atm".conf | install atm /bin/true |
kernel module atm disabled in /etc/modules-load.d
oval:ssg-test_kernmod_atm_etcmodules-load:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_kernmod_atm_etcmodules-load:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /etc/modules-load.d | ^.*\.conf$ | ^\s*install\s+atm\s+(/bin/false|/bin/true)$ | 1 |
kernel module atm disabled in /run/modules-load.d
oval:ssg-test_kernmod_atm_runmodules-load:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_kernmod_atm_runmodules-load:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /run/modules-load.d | ^.*\.conf$ | ^\s*install\s+atm\s+(/bin/false|/bin/true)$ | 1 |
kernel module atm disabled in /usr/lib/modules-load.d
oval:ssg-test_kernmod_atm_libmodules-load:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_kernmod_atm_libmodules-load:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /usr/lib/modules-load.d | ^.*\.conf$ | ^\s*install\s+atm\s+(/bin/false|/bin/true)$ | 1 |
kernel module atm disabled in /run/modprobe.d
oval:ssg-test_kernmod_atm_runmodprobed:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_kernmod_atm_runmodprobed:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /run/modprobe.d | ^.*\.conf$ | ^\s*install\s+atm\s+(/bin/false|/bin/true)$ | 1 |
kernel module atm disabled in /usr/lib/modprobe.d
oval:ssg-test_kernmod_atm_libmodprobed:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_kernmod_atm_libmodprobed:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /usr/lib/modprobe.d | ^.*\.conf$ | ^\s*install\s+atm\s+(/bin/false|/bin/true)$ | 1 |
kernel module atm disabled in /etc/modprobe.conf
oval:ssg-test_kernmod_atm_modprobeconf:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_kernmod_atm_modprobeconf:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/modprobe.conf | ^\s*install\s+atm\s+(/bin/false|/bin/true)$ | 1 |
Disable CAN Supportxccdf_org.ssgproject.content_rule_kernel_module_can_disabled mediumCCE-82059-7
Disable CAN Support
| Rule ID | xccdf_org.ssgproject.content_rule_kernel_module_can_disabled |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-kernel_module_can_disabled:def:1 |
| Time | 2021-08-12T02:37:19+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-82059-7 References:
FMT_SMF_EXT.1, SRG-OS-000095-GPOS-00049, RHEL-08-040022, SV-230495r599732_rule |
| Description | The Controller Area Network (CAN) is a serial communications
protocol which was initially developed for automotive and
is now also used in marine, industrial, and medical applications.
To configure the system to prevent the can
kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d:
install can /bin/true |
| Rationale | Disabling CAN protects the system against exploitation of any
flaws in its implementation. |
OVAL test results detailskernel module can disabled
oval:ssg-test_kernmod_can_disabled:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/modprobe.d/"can".conf | install can /bin/true |
kernel module can disabled in /etc/modules-load.d
oval:ssg-test_kernmod_can_etcmodules-load:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_kernmod_can_etcmodules-load:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /etc/modules-load.d | ^.*\.conf$ | ^\s*install\s+can\s+(/bin/false|/bin/true)$ | 1 |
kernel module can disabled in /run/modules-load.d
oval:ssg-test_kernmod_can_runmodules-load:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_kernmod_can_runmodules-load:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /run/modules-load.d | ^.*\.conf$ | ^\s*install\s+can\s+(/bin/false|/bin/true)$ | 1 |
kernel module can disabled in /usr/lib/modules-load.d
oval:ssg-test_kernmod_can_libmodules-load:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_kernmod_can_libmodules-load:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /usr/lib/modules-load.d | ^.*\.conf$ | ^\s*install\s+can\s+(/bin/false|/bin/true)$ | 1 |
kernel module can disabled in /run/modprobe.d
oval:ssg-test_kernmod_can_runmodprobed:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_kernmod_can_runmodprobed:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /run/modprobe.d | ^.*\.conf$ | ^\s*install\s+can\s+(/bin/false|/bin/true)$ | 1 |
kernel module can disabled in /usr/lib/modprobe.d
oval:ssg-test_kernmod_can_libmodprobed:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_kernmod_can_libmodprobed:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /usr/lib/modprobe.d | ^.*\.conf$ | ^\s*install\s+can\s+(/bin/false|/bin/true)$ | 1 |
kernel module can disabled in /etc/modprobe.conf
oval:ssg-test_kernmod_can_modprobeconf:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_kernmod_can_modprobeconf:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/modprobe.conf | ^\s*install\s+can\s+(/bin/false|/bin/true)$ | 1 |
Disable TIPC Supportxccdf_org.ssgproject.content_rule_kernel_module_tipc_disabled mediumCCE-82297-3
Disable TIPC Support
| Rule ID | xccdf_org.ssgproject.content_rule_kernel_module_tipc_disabled |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-kernel_module_tipc_disabled:def:1 |
| Time | 2021-08-12T02:37:19+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-82297-3 References:
3.3.4, 11, 14, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), PR.IP-1, PR.PT-3, FMT_SMF_EXT.1, SRG-OS-000095-GPOS-00049, RHEL-08-040024, SV-230497r599732_rule |
| Description | The Transparent Inter-Process Communication (TIPC) protocol
is designed to provide communications between nodes in a
cluster.
To configure the system to prevent the tipc
kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d:
install tipc /bin/true |
| Rationale | Disabling TIPC protects
the system against exploitation of any flaws in its implementation. |
| Warnings | warning
This configuration baseline was created to deploy the base operating system for general purpose
workloads. When the operating system is configured for certain purposes, such as
a node in High Performance Computing cluster, it is expected that
the tipc kernel module will be loaded. |
OVAL test results detailskernel module tipc disabled
oval:ssg-test_kernmod_tipc_disabled:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/modprobe.d/"tipc".conf | install tipc /bin/true |
kernel module tipc disabled in /etc/modules-load.d
oval:ssg-test_kernmod_tipc_etcmodules-load:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_kernmod_tipc_etcmodules-load:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /etc/modules-load.d | ^.*\.conf$ | ^\s*install\s+tipc\s+(/bin/false|/bin/true)$ | 1 |
kernel module tipc disabled in /run/modules-load.d
oval:ssg-test_kernmod_tipc_runmodules-load:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_kernmod_tipc_runmodules-load:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /run/modules-load.d | ^.*\.conf$ | ^\s*install\s+tipc\s+(/bin/false|/bin/true)$ | 1 |
kernel module tipc disabled in /usr/lib/modules-load.d
oval:ssg-test_kernmod_tipc_libmodules-load:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_kernmod_tipc_libmodules-load:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /usr/lib/modules-load.d | ^.*\.conf$ | ^\s*install\s+tipc\s+(/bin/false|/bin/true)$ | 1 |
kernel module tipc disabled in /run/modprobe.d
oval:ssg-test_kernmod_tipc_runmodprobed:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_kernmod_tipc_runmodprobed:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /run/modprobe.d | ^.*\.conf$ | ^\s*install\s+tipc\s+(/bin/false|/bin/true)$ | 1 |
kernel module tipc disabled in /usr/lib/modprobe.d
oval:ssg-test_kernmod_tipc_libmodprobed:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_kernmod_tipc_libmodprobed:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /usr/lib/modprobe.d | ^.*\.conf$ | ^\s*install\s+tipc\s+(/bin/false|/bin/true)$ | 1 |
kernel module tipc disabled in /etc/modprobe.conf
oval:ssg-test_kernmod_tipc_modprobeconf:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_kernmod_tipc_modprobeconf:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/modprobe.conf | ^\s*install\s+tipc\s+(/bin/false|/bin/true)$ | 1 |
Disable SCTP Supportxccdf_org.ssgproject.content_rule_kernel_module_sctp_disabled mediumCCE-80834-5
Disable SCTP Support
| Rule ID | xccdf_org.ssgproject.content_rule_kernel_module_sctp_disabled |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-kernel_module_sctp_disabled:def:1 |
| Time | 2021-08-12T02:37:19+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-80834-5 References:
3.5.2, 11, 14, 3, 9, 5.10.1, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, 3.4.6, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), PR.IP-1, PR.PT-3, SRG-OS-000095-GPOS-00049, RHEL-08-040023, SV-230496r599732_rule |
| Description | The Stream Control Transmission Protocol (SCTP) is a
transport layer protocol, designed to support the idea of
message-oriented communication, with several streams of messages
within one connection.
To configure the system to prevent the sctp
kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d:
install sctp /bin/true |
| Rationale | Disabling SCTP protects
the system against exploitation of any flaws in its implementation. |
OVAL test results detailskernel module sctp disabled
oval:ssg-test_kernmod_sctp_disabled:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/modprobe.d/"sctp".conf | install sctp /bin/true |
kernel module sctp disabled in /etc/modules-load.d
oval:ssg-test_kernmod_sctp_etcmodules-load:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_kernmod_sctp_etcmodules-load:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /etc/modules-load.d | ^.*\.conf$ | ^\s*install\s+sctp\s+(/bin/false|/bin/true)$ | 1 |
kernel module sctp disabled in /run/modules-load.d
oval:ssg-test_kernmod_sctp_runmodules-load:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_kernmod_sctp_runmodules-load:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /run/modules-load.d | ^.*\.conf$ | ^\s*install\s+sctp\s+(/bin/false|/bin/true)$ | 1 |
kernel module sctp disabled in /usr/lib/modules-load.d
oval:ssg-test_kernmod_sctp_libmodules-load:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_kernmod_sctp_libmodules-load:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /usr/lib/modules-load.d | ^.*\.conf$ | ^\s*install\s+sctp\s+(/bin/false|/bin/true)$ | 1 |
kernel module sctp disabled in /run/modprobe.d
oval:ssg-test_kernmod_sctp_runmodprobed:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_kernmod_sctp_runmodprobed:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /run/modprobe.d | ^.*\.conf$ | ^\s*install\s+sctp\s+(/bin/false|/bin/true)$ | 1 |
kernel module sctp disabled in /usr/lib/modprobe.d
oval:ssg-test_kernmod_sctp_libmodprobed:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_kernmod_sctp_libmodprobed:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /usr/lib/modprobe.d | ^.*\.conf$ | ^\s*install\s+sctp\s+(/bin/false|/bin/true)$ | 1 |
kernel module sctp disabled in /etc/modprobe.conf
oval:ssg-test_kernmod_sctp_modprobeconf:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_kernmod_sctp_modprobeconf:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/modprobe.conf | ^\s*install\s+sctp\s+(/bin/false|/bin/true)$ | 1 |
Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv4 Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_source_route mediumCCE-81011-9
Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv4 Interfaces
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_source_route |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sysctl_net_ipv4_conf_all_accept_source_route:def:1 |
| Time | 2021-08-12T02:37:19+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-81011-9 References:
BP28(R22), 3.2.1, 1, 11, 12, 13, 14, 15, 16, 18, 2, 3, 4, 6, 7, 8, 9, APO01.06, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 3.1.20, CCI-000366, 4.2.3.4, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, 4.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-7(a), CM-7(b), SC-5, CM-6(a), SC-7(a), DE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.IP-1, PR.PT-3, PR.PT-4, SRG-OS-000480-GPOS-00227, RHEL-08-040240, SV-230538r599732_rule |
| Description | To set the runtime status of the net.ipv4.conf.all.accept_source_route kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.all.accept_source_route=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.all.accept_source_route = 0 |
| Rationale | Source-routed packets allow the source of the packet to suggest routers
forward the packet along a different path than configured on the router,
which can be used to bypass network security measures. This requirement
applies only to the forwarding of source-routerd traffic, such as when IPv4
forwarding is enabled and the system is functioning as a router.
Accepting source-routed packets in the IPv4 protocol has few legitimate
uses. It should be disabled unless it is absolutely required. |
OVAL test results detailsnet.ipv4.conf.all.accept_source_route static configuration
oval:ssg-test_static_sysctl_net_ipv4_conf_all_accept_source_route:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/sysctl.conf | # For more information, see sysctl.conf(5) and sysctl.d(5).
kernel.kexec_load_disabled=1
fs.protected_symlinks=1
fs.protected_hardlinks=1
kernel.dmesg_restrict=1
kernel.perf_event_paranoid=2
kernel.randomize_va_space=2
kernel.core_pattern=|/bin/false
net.ipv6.conf.default.accept_redirects=0
net.ipv4.conf.all.send_redirects=0
net.ipv4.icmp_echo_ignore_broadcasts=1
net.ipv6.conf.all.accept_source_route=0
net.ipv6.conf.default.accept_source_route=0
net.ipv4.ip_forward=0
net.ipv6.conf.all.forwarding=0
net.ipv6.conf.all.accept_ra=0
net.ipv6.conf.default.accept_ra=0
net.ipv4.conf.default.send_redirects=0
net.ipv6.conf.all.accept_redirects=0
kernel.unprivileged_bpf_disabled=1
kernel.yama.ptrace_scope=1
kernel.kptr_restrict=1
user.max_user_namespaces=0
net.ipv4.conf.all.rp_filter=1
net.ipv4.conf.default.accept_redirects=0
net.ipv4.conf.all.accept_source_route=0
|
net.ipv4.conf.all.accept_source_route static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_etc_sysctld_net_ipv4_conf_all_accept_source_route:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/sysctl.d/99-sysctl.conf | # For more information, see sysctl.conf(5) and sysctl.d(5).
kernel.kexec_load_disabled=1
fs.protected_symlinks=1
fs.protected_hardlinks=1
kernel.dmesg_restrict=1
kernel.perf_event_paranoid=2
kernel.randomize_va_space=2
kernel.core_pattern=|/bin/false
net.ipv6.conf.default.accept_redirects=0
net.ipv4.conf.all.send_redirects=0
net.ipv4.icmp_echo_ignore_broadcasts=1
net.ipv6.conf.all.accept_source_route=0
net.ipv6.conf.default.accept_source_route=0
net.ipv4.ip_forward=0
net.ipv6.conf.all.forwarding=0
net.ipv6.conf.all.accept_ra=0
net.ipv6.conf.default.accept_ra=0
net.ipv4.conf.default.send_redirects=0
net.ipv6.conf.all.accept_redirects=0
kernel.unprivileged_bpf_disabled=1
kernel.yama.ptrace_scope=1
kernel.kptr_restrict=1
user.max_user_namespaces=0
net.ipv4.conf.all.rp_filter=1
net.ipv4.conf.default.accept_redirects=0
net.ipv4.conf.all.accept_source_route=0
|
net.ipv4.conf.all.accept_source_route static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_run_sysctld_net_ipv4_conf_all_accept_source_route:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_run_sysctld_net_ipv4_conf_all_accept_source_route:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /run/sysctl.d | ^.*\.conf$ | (?:^|.*\n)[^#]*net.ipv4.conf.all.accept_source_route[\s]*=[\s]*(\d+)[\s]*\n | 1 |
net.ipv4.conf.all.accept_source_route static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_usr_lib_sysctld_net_ipv4_conf_all_accept_source_route:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /usr/lib/sysctl.d/50-default.conf | # Do not accept source routing
net.ipv4.conf.all.accept_source_route = 0
|
kernel runtime parameter net.ipv4.conf.all.accept_source_route set to the appropriate value
oval:ssg-test_sysctl_runtime_net_ipv4_conf_all_accept_source_route:tst:1
true
Following items have been found on the system:
| Name | Value |
|---|
| net.ipv4.conf.all.accept_source_route | 0 |
Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requests on IPv4 Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_icmp_echo_ignore_broadcasts mediumCCE-80922-8
Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requests on IPv4 Interfaces
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_icmp_echo_ignore_broadcasts |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sysctl_net_ipv4_icmp_echo_ignore_broadcasts:def:1 |
| Time | 2021-08-12T02:37:19+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-80922-8 References:
3.2.5, 1, 11, 12, 13, 14, 15, 16, 18, 2, 3, 4, 6, 7, 8, 9, 5.10.1.1, APO01.06, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 3.1.20, CCI-000366, 4.2.3.4, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, 4.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-7(a), CM-7(b), SC-5, DE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.IP-1, PR.PT-3, PR.PT-4, SRG-OS-000480-GPOS-00227, RHEL-08-040230, SV-230537r599732_rule |
| Description | To set the runtime status of the net.ipv4.icmp_echo_ignore_broadcasts kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.icmp_echo_ignore_broadcasts = 1 |
| Rationale | Responding to broadcast (ICMP) echoes facilitates network mapping
and provides a vector for amplification attacks.
Ignoring ICMP echo requests (pings) sent to broadcast or multicast
addresses makes the system slightly more difficult to enumerate on the network. |
OVAL test results detailsnet.ipv4.icmp_echo_ignore_broadcasts static configuration
oval:ssg-test_static_sysctl_net_ipv4_icmp_echo_ignore_broadcasts:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/sysctl.conf | # For more information, see sysctl.conf(5) and sysctl.d(5).
kernel.kexec_load_disabled=1
fs.protected_symlinks=1
fs.protected_hardlinks=1
kernel.dmesg_restrict=1
kernel.perf_event_paranoid=2
kernel.randomize_va_space=2
kernel.core_pattern=|/bin/false
net.ipv6.conf.default.accept_redirects=0
net.ipv4.conf.all.send_redirects=0
net.ipv4.icmp_echo_ignore_broadcasts=1
|
net.ipv4.icmp_echo_ignore_broadcasts static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_etc_sysctld_net_ipv4_icmp_echo_ignore_broadcasts:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/sysctl.d/99-sysctl.conf | # For more information, see sysctl.conf(5) and sysctl.d(5).
kernel.kexec_load_disabled=1
fs.protected_symlinks=1
fs.protected_hardlinks=1
kernel.dmesg_restrict=1
kernel.perf_event_paranoid=2
kernel.randomize_va_space=2
kernel.core_pattern=|/bin/false
net.ipv6.conf.default.accept_redirects=0
net.ipv4.conf.all.send_redirects=0
net.ipv4.icmp_echo_ignore_broadcasts=1
|
net.ipv4.icmp_echo_ignore_broadcasts static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_run_sysctld_net_ipv4_icmp_echo_ignore_broadcasts:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_run_sysctld_net_ipv4_icmp_echo_ignore_broadcasts:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /run/sysctl.d | ^.*\.conf$ | (?:^|.*\n)[^#]*net.ipv4.icmp_echo_ignore_broadcasts[\s]*=[\s]*(\d+)[\s]*\n | 1 |
net.ipv4.icmp_echo_ignore_broadcasts static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_usr_lib_sysctld_net_ipv4_icmp_echo_ignore_broadcasts:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_usr_lib_sysctld_net_ipv4_icmp_echo_ignore_broadcasts:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /usr/lib/sysctl.d | ^.*\.conf$ | (?:^|.*\n)[^#]*net.ipv4.icmp_echo_ignore_broadcasts[\s]*=[\s]*(\d+)[\s]*\n | 1 |
kernel runtime parameter net.ipv4.icmp_echo_ignore_broadcasts set to the appropriate value
oval:ssg-test_sysctl_runtime_net_ipv4_icmp_echo_ignore_broadcasts:tst:1
true
Following items have been found on the system:
| Name | Value |
|---|
| net.ipv4.icmp_echo_ignore_broadcasts | 1 |
Disable Kernel Parameter for Accepting Source-Routed Packets on IPv4 Interfaces by Defaultxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_source_route mediumCCE-80920-2
Disable Kernel Parameter for Accepting Source-Routed Packets on IPv4 Interfaces by Default
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_source_route |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sysctl_net_ipv4_conf_default_accept_source_route:def:1 |
| Time | 2021-08-12T02:37:19+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-80920-2 References:
BP28(R22), 3.2.1, 1, 11, 12, 13, 14, 15, 16, 18, 2, 3, 4, 6, 7, 8, 9, 5.10.1.1, APO01.06, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 3.1.20, CCI-000366, CCI-001551, 4.2.3.4, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, 4.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-7(a), CM-7(b), SC-5, SC-7(a), DE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.IP-1, PR.PT-3, PR.PT-4, SRG-OS-000480-GPOS-00227 |
| Description | To set the runtime status of the net.ipv4.conf.default.accept_source_route kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.default.accept_source_route=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.default.accept_source_route = 0 |
| Rationale | Source-routed packets allow the source of the packet to suggest routers
forward the packet along a different path than configured on the router,
which can be used to bypass network security measures.
Accepting source-routed packets in the IPv4 protocol has few legitimate
uses. It should be disabled unless it is absolutely required, such as when
IPv4 forwarding is enabled and the system is legitimately functioning as a
router. |
OVAL test results detailsnet.ipv4.conf.default.accept_source_route static configuration
oval:ssg-test_static_sysctl_net_ipv4_conf_default_accept_source_route:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/sysctl.conf | # For more information, see sysctl.conf(5) and sysctl.d(5).
kernel.kexec_load_disabled=1
fs.protected_symlinks=1
fs.protected_hardlinks=1
kernel.dmesg_restrict=1
kernel.perf_event_paranoid=2
kernel.randomize_va_space=2
kernel.core_pattern=|/bin/false
net.ipv6.conf.default.accept_redirects=0
net.ipv4.conf.all.send_redirects=0
net.ipv4.icmp_echo_ignore_broadcasts=1
net.ipv6.conf.all.accept_source_route=0
net.ipv6.conf.default.accept_source_route=0
net.ipv4.ip_forward=0
net.ipv6.conf.all.forwarding=0
net.ipv6.conf.all.accept_ra=0
net.ipv6.conf.default.accept_ra=0
net.ipv4.conf.default.send_redirects=0
net.ipv6.conf.all.accept_redirects=0
kernel.unprivileged_bpf_disabled=1
kernel.yama.ptrace_scope=1
kernel.kptr_restrict=1
user.max_user_namespaces=0
net.ipv4.conf.all.rp_filter=1
net.ipv4.conf.default.accept_redirects=0
net.ipv4.conf.all.accept_source_route=0
net.ipv4.conf.default.accept_source_route=0
|
net.ipv4.conf.default.accept_source_route static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_etc_sysctld_net_ipv4_conf_default_accept_source_route:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/sysctl.d/99-sysctl.conf | # For more information, see sysctl.conf(5) and sysctl.d(5).
kernel.kexec_load_disabled=1
fs.protected_symlinks=1
fs.protected_hardlinks=1
kernel.dmesg_restrict=1
kernel.perf_event_paranoid=2
kernel.randomize_va_space=2
kernel.core_pattern=|/bin/false
net.ipv6.conf.default.accept_redirects=0
net.ipv4.conf.all.send_redirects=0
net.ipv4.icmp_echo_ignore_broadcasts=1
net.ipv6.conf.all.accept_source_route=0
net.ipv6.conf.default.accept_source_route=0
net.ipv4.ip_forward=0
net.ipv6.conf.all.forwarding=0
net.ipv6.conf.all.accept_ra=0
net.ipv6.conf.default.accept_ra=0
net.ipv4.conf.default.send_redirects=0
net.ipv6.conf.all.accept_redirects=0
kernel.unprivileged_bpf_disabled=1
kernel.yama.ptrace_scope=1
kernel.kptr_restrict=1
user.max_user_namespaces=0
net.ipv4.conf.all.rp_filter=1
net.ipv4.conf.default.accept_redirects=0
net.ipv4.conf.all.accept_source_route=0
net.ipv4.conf.default.accept_source_route=0
|
net.ipv4.conf.default.accept_source_route static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_run_sysctld_net_ipv4_conf_default_accept_source_route:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_run_sysctld_net_ipv4_conf_default_accept_source_route:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /run/sysctl.d | ^.*\.conf$ | (?:^|.*\n)[^#]*net.ipv4.conf.default.accept_source_route[\s]*=[\s]*(\d+)[\s]*\n | 1 |
net.ipv4.conf.default.accept_source_route static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_usr_lib_sysctld_net_ipv4_conf_default_accept_source_route:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_usr_lib_sysctld_net_ipv4_conf_default_accept_source_route:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /usr/lib/sysctl.d | ^.*\.conf$ | (?:^|.*\n)[^#]*net.ipv4.conf.default.accept_source_route[\s]*=[\s]*(\d+)[\s]*\n | 1 |
kernel runtime parameter net.ipv4.conf.default.accept_source_route set to the appropriate value
oval:ssg-test_sysctl_runtime_net_ipv4_conf_default_accept_source_route:tst:1
true
Following items have been found on the system:
| Name | Value |
|---|
| net.ipv4.conf.default.accept_source_route | 0 |
Disable Accepting ICMP Redirects for All IPv4 Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_redirects mediumCCE-80917-8
Disable Accepting ICMP Redirects for All IPv4 Interfaces
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_redirects |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sysctl_net_ipv4_conf_all_accept_redirects:def:1 |
| Time | 2021-08-12T02:37:19+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-80917-8 References:
BP28(R22), 3.2.2, 1, 11, 12, 13, 14, 15, 16, 2, 3, 7, 8, 9, 5.10.1.1, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS05.02, DSS05.05, DSS05.07, DSS06.06, 3.1.20, CCI-000366, CCI-001503, CCI-001551, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), SC-7(a), DE.CM-1, PR.DS-4, PR.IP-1, PR.PT-3, SRG-OS-000480-GPOS-00227, RHEL-08-040280, SV-230544r599732_rule |
| Description | To set the runtime status of the net.ipv4.conf.all.accept_redirects kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.all.accept_redirects=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.all.accept_redirects = 0 |
| Rationale | ICMP redirect messages are used by routers to inform hosts that a more
direct route exists for a particular destination. These messages modify the
host's route table and are unauthenticated. An illicit ICMP redirect
message could result in a man-in-the-middle attack.
This feature of the IPv4 protocol has few legitimate uses. It should be
disabled unless absolutely required." |
OVAL test results detailsnet.ipv4.conf.all.accept_redirects static configuration
oval:ssg-test_static_sysctl_net_ipv4_conf_all_accept_redirects:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/sysctl.conf | # For more information, see sysctl.conf(5) and sysctl.d(5).
kernel.kexec_load_disabled=1
fs.protected_symlinks=1
fs.protected_hardlinks=1
kernel.dmesg_restrict=1
kernel.perf_event_paranoid=2
kernel.randomize_va_space=2
kernel.core_pattern=|/bin/false
net.ipv6.conf.default.accept_redirects=0
net.ipv4.conf.all.send_redirects=0
net.ipv4.icmp_echo_ignore_broadcasts=1
net.ipv6.conf.all.accept_source_route=0
net.ipv6.conf.default.accept_source_route=0
net.ipv4.ip_forward=0
net.ipv6.conf.all.forwarding=0
net.ipv6.conf.all.accept_ra=0
net.ipv6.conf.default.accept_ra=0
net.ipv4.conf.default.send_redirects=0
net.ipv6.conf.all.accept_redirects=0
kernel.unprivileged_bpf_disabled=1
kernel.yama.ptrace_scope=1
kernel.kptr_restrict=1
user.max_user_namespaces=0
net.ipv4.conf.all.rp_filter=1
net.ipv4.conf.default.accept_redirects=0
net.ipv4.conf.all.accept_source_route=0
net.ipv4.conf.default.accept_source_route=0
net.ipv4.conf.all.accept_redirects=0
|
net.ipv4.conf.all.accept_redirects static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_etc_sysctld_net_ipv4_conf_all_accept_redirects:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/sysctl.d/99-sysctl.conf | # For more information, see sysctl.conf(5) and sysctl.d(5).
kernel.kexec_load_disabled=1
fs.protected_symlinks=1
fs.protected_hardlinks=1
kernel.dmesg_restrict=1
kernel.perf_event_paranoid=2
kernel.randomize_va_space=2
kernel.core_pattern=|/bin/false
net.ipv6.conf.default.accept_redirects=0
net.ipv4.conf.all.send_redirects=0
net.ipv4.icmp_echo_ignore_broadcasts=1
net.ipv6.conf.all.accept_source_route=0
net.ipv6.conf.default.accept_source_route=0
net.ipv4.ip_forward=0
net.ipv6.conf.all.forwarding=0
net.ipv6.conf.all.accept_ra=0
net.ipv6.conf.default.accept_ra=0
net.ipv4.conf.default.send_redirects=0
net.ipv6.conf.all.accept_redirects=0
kernel.unprivileged_bpf_disabled=1
kernel.yama.ptrace_scope=1
kernel.kptr_restrict=1
user.max_user_namespaces=0
net.ipv4.conf.all.rp_filter=1
net.ipv4.conf.default.accept_redirects=0
net.ipv4.conf.all.accept_source_route=0
net.ipv4.conf.default.accept_source_route=0
net.ipv4.conf.all.accept_redirects=0
|
net.ipv4.conf.all.accept_redirects static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_run_sysctld_net_ipv4_conf_all_accept_redirects:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_run_sysctld_net_ipv4_conf_all_accept_redirects:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /run/sysctl.d | ^.*\.conf$ | (?:^|.*\n)[^#]*net.ipv4.conf.all.accept_redirects[\s]*=[\s]*(\d+)[\s]*\n | 1 |
net.ipv4.conf.all.accept_redirects static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_usr_lib_sysctld_net_ipv4_conf_all_accept_redirects:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_usr_lib_sysctld_net_ipv4_conf_all_accept_redirects:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /usr/lib/sysctl.d | ^.*\.conf$ | (?:^|.*\n)[^#]*net.ipv4.conf.all.accept_redirects[\s]*=[\s]*(\d+)[\s]*\n | 1 |
kernel runtime parameter net.ipv4.conf.all.accept_redirects set to the appropriate value
oval:ssg-test_sysctl_runtime_net_ipv4_conf_all_accept_redirects:tst:1
true
Following items have been found on the system:
| Name | Value |
|---|
| net.ipv4.conf.all.accept_redirects | 0 |
Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv4 Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_redirects mediumCCE-80919-4
Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv4 Interfaces
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_redirects |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sysctl_net_ipv4_conf_default_accept_redirects:def:1 |
| Time | 2021-08-12T02:37:19+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-80919-4 References:
BP28(R22), 3.2.2, 1, 11, 12, 13, 14, 15, 16, 18, 2, 3, 4, 6, 7, 8, 9, 5.10.1.1, APO01.06, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 3.1.20, CCI-000366, CCI-001551, 4.2.3.4, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, 4.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-7(a), CM-7(b), CM-6(a), SC-7(a), DE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.IP-1, PR.PT-3, PR.PT-4, SRG-OS-000480-GPOS-00227, RHEL-08-040210, SV-230535r599732_rule |
| Description | To set the runtime status of the net.ipv4.conf.default.accept_redirects kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.default.accept_redirects=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.default.accept_redirects = 0 |
| Rationale | ICMP redirect messages are used by routers to inform hosts that a more
direct route exists for a particular destination. These messages modify the
host's route table and are unauthenticated. An illicit ICMP redirect
message could result in a man-in-the-middle attack.
This feature of the IPv4 protocol has few legitimate uses. It should
be disabled unless absolutely required. |
OVAL test results detailsnet.ipv4.conf.default.accept_redirects static configuration
oval:ssg-test_static_sysctl_net_ipv4_conf_default_accept_redirects:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/sysctl.conf | # For more information, see sysctl.conf(5) and sysctl.d(5).
kernel.kexec_load_disabled=1
fs.protected_symlinks=1
fs.protected_hardlinks=1
kernel.dmesg_restrict=1
kernel.perf_event_paranoid=2
kernel.randomize_va_space=2
kernel.core_pattern=|/bin/false
net.ipv6.conf.default.accept_redirects=0
net.ipv4.conf.all.send_redirects=0
net.ipv4.icmp_echo_ignore_broadcasts=1
net.ipv6.conf.all.accept_source_route=0
net.ipv6.conf.default.accept_source_route=0
net.ipv4.ip_forward=0
net.ipv6.conf.all.forwarding=0
net.ipv6.conf.all.accept_ra=0
net.ipv6.conf.default.accept_ra=0
net.ipv4.conf.default.send_redirects=0
net.ipv6.conf.all.accept_redirects=0
kernel.unprivileged_bpf_disabled=1
kernel.yama.ptrace_scope=1
kernel.kptr_restrict=1
user.max_user_namespaces=0
net.ipv4.conf.all.rp_filter=1
net.ipv4.conf.default.accept_redirects=0
|
net.ipv4.conf.default.accept_redirects static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_etc_sysctld_net_ipv4_conf_default_accept_redirects:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/sysctl.d/99-sysctl.conf | # For more information, see sysctl.conf(5) and sysctl.d(5).
kernel.kexec_load_disabled=1
fs.protected_symlinks=1
fs.protected_hardlinks=1
kernel.dmesg_restrict=1
kernel.perf_event_paranoid=2
kernel.randomize_va_space=2
kernel.core_pattern=|/bin/false
net.ipv6.conf.default.accept_redirects=0
net.ipv4.conf.all.send_redirects=0
net.ipv4.icmp_echo_ignore_broadcasts=1
net.ipv6.conf.all.accept_source_route=0
net.ipv6.conf.default.accept_source_route=0
net.ipv4.ip_forward=0
net.ipv6.conf.all.forwarding=0
net.ipv6.conf.all.accept_ra=0
net.ipv6.conf.default.accept_ra=0
net.ipv4.conf.default.send_redirects=0
net.ipv6.conf.all.accept_redirects=0
kernel.unprivileged_bpf_disabled=1
kernel.yama.ptrace_scope=1
kernel.kptr_restrict=1
user.max_user_namespaces=0
net.ipv4.conf.all.rp_filter=1
net.ipv4.conf.default.accept_redirects=0
|
net.ipv4.conf.default.accept_redirects static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_run_sysctld_net_ipv4_conf_default_accept_redirects:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_run_sysctld_net_ipv4_conf_default_accept_redirects:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /run/sysctl.d | ^.*\.conf$ | (?:^|.*\n)[^#]*net.ipv4.conf.default.accept_redirects[\s]*=[\s]*(\d+)[\s]*\n | 1 |
net.ipv4.conf.default.accept_redirects static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_usr_lib_sysctld_net_ipv4_conf_default_accept_redirects:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_usr_lib_sysctld_net_ipv4_conf_default_accept_redirects:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /usr/lib/sysctl.d | ^.*\.conf$ | (?:^|.*\n)[^#]*net.ipv4.conf.default.accept_redirects[\s]*=[\s]*(\d+)[\s]*\n | 1 |
kernel runtime parameter net.ipv4.conf.default.accept_redirects set to the appropriate value
oval:ssg-test_sysctl_runtime_net_ipv4_conf_default_accept_redirects:tst:1
true
Following items have been found on the system:
| Name | Value |
|---|
| net.ipv4.conf.default.accept_redirects | 0 |
Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_rp_filter mediumCCE-81021-8
Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_rp_filter |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sysctl_net_ipv4_conf_all_rp_filter:def:1 |
| Time | 2021-08-12T02:37:19+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-81021-8 References:
BP28(R22), 3.2.7, 1, 12, 13, 14, 15, 16, 18, 2, 4, 6, 7, 8, 9, APO01.06, APO13.01, BAI04.04, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.07, DSS06.02, 3.1.20, CCI-000366, CCI-001551, 4.2.3.4, 4.3.3.4, 4.4.3.3, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-7(a), CM-7(b), CM-6(a), SC-7(a), DE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.PT-4, SRG-OS-000480-GPOS-00227, RHEL-08-040285, SV-230549r599732_rule |
| Description | To set the runtime status of the net.ipv4.conf.all.rp_filter kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.all.rp_filter=1
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.all.rp_filter = 1 |
| Rationale | Enabling reverse path filtering drops packets with source addresses
that should not have been able to be received on the interface they were
received on. It should not be used on systems which are routers for
complicated networks, but is helpful for end hosts and routers serving small
networks. |
OVAL test results detailsnet.ipv4.conf.all.rp_filter static configuration
oval:ssg-test_static_sysctl_net_ipv4_conf_all_rp_filter:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/sysctl.conf | # For more information, see sysctl.conf(5) and sysctl.d(5).
kernel.kexec_load_disabled=1
fs.protected_symlinks=1
fs.protected_hardlinks=1
kernel.dmesg_restrict=1
kernel.perf_event_paranoid=2
kernel.randomize_va_space=2
kernel.core_pattern=|/bin/false
net.ipv6.conf.default.accept_redirects=0
net.ipv4.conf.all.send_redirects=0
net.ipv4.icmp_echo_ignore_broadcasts=1
net.ipv6.conf.all.accept_source_route=0
net.ipv6.conf.default.accept_source_route=0
net.ipv4.ip_forward=0
net.ipv6.conf.all.forwarding=0
net.ipv6.conf.all.accept_ra=0
net.ipv6.conf.default.accept_ra=0
net.ipv4.conf.default.send_redirects=0
net.ipv6.conf.all.accept_redirects=0
kernel.unprivileged_bpf_disabled=1
kernel.yama.ptrace_scope=1
kernel.kptr_restrict=1
user.max_user_namespaces=0
net.ipv4.conf.all.rp_filter=1
|
net.ipv4.conf.all.rp_filter static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_etc_sysctld_net_ipv4_conf_all_rp_filter:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/sysctl.d/99-sysctl.conf | # For more information, see sysctl.conf(5) and sysctl.d(5).
kernel.kexec_load_disabled=1
fs.protected_symlinks=1
fs.protected_hardlinks=1
kernel.dmesg_restrict=1
kernel.perf_event_paranoid=2
kernel.randomize_va_space=2
kernel.core_pattern=|/bin/false
net.ipv6.conf.default.accept_redirects=0
net.ipv4.conf.all.send_redirects=0
net.ipv4.icmp_echo_ignore_broadcasts=1
net.ipv6.conf.all.accept_source_route=0
net.ipv6.conf.default.accept_source_route=0
net.ipv4.ip_forward=0
net.ipv6.conf.all.forwarding=0
net.ipv6.conf.all.accept_ra=0
net.ipv6.conf.default.accept_ra=0
net.ipv4.conf.default.send_redirects=0
net.ipv6.conf.all.accept_redirects=0
kernel.unprivileged_bpf_disabled=1
kernel.yama.ptrace_scope=1
kernel.kptr_restrict=1
user.max_user_namespaces=0
net.ipv4.conf.all.rp_filter=1
|
net.ipv4.conf.all.rp_filter static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_run_sysctld_net_ipv4_conf_all_rp_filter:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_run_sysctld_net_ipv4_conf_all_rp_filter:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /run/sysctl.d | ^.*\.conf$ | (?:^|.*\n)[^#]*net.ipv4.conf.all.rp_filter[\s]*=[\s]*(\d+)[\s]*\n | 1 |
net.ipv4.conf.all.rp_filter static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_usr_lib_sysctld_net_ipv4_conf_all_rp_filter:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /usr/lib/sysctl.d/50-default.conf | # Source route verification
net.ipv4.conf.all.rp_filter = 1
|
kernel runtime parameter net.ipv4.conf.all.rp_filter set to the appropriate value
oval:ssg-test_sysctl_runtime_net_ipv4_conf_all_rp_filter:tst:1
true
Following items have been found on the system:
| Name | Value |
|---|
| net.ipv4.conf.all.rp_filter | 1 |
Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_send_redirects mediumCCE-80918-6
Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_send_redirects |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sysctl_net_ipv4_conf_all_send_redirects:def:1 |
| Time | 2021-08-12T02:37:19+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-80918-6 References:
BP28(R22), 3.1.2, 1, 11, 12, 13, 14, 15, 16, 18, 2, 3, 4, 6, 7, 8, 9, 5.10.1.1, APO01.06, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 3.1.20, CCI-000366, 4.2.3.4, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, 4.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-7(a), CM-7(b), SC-5, CM-6(a), SC-7(a), DE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.IP-1, PR.PT-3, PR.PT-4, SRG-OS-000480-GPOS-00227, RHEL-08-040220, SV-230536r599732_rule |
| Description | To set the runtime status of the net.ipv4.conf.all.send_redirects kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.all.send_redirects=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.all.send_redirects = 0 |
| Rationale | ICMP redirect messages are used by routers to inform hosts that a more
direct route exists for a particular destination. These messages contain information
from the system's route table possibly revealing portions of the network topology.
The ability to send ICMP redirects is only appropriate for systems acting as routers. |
OVAL test results detailsnet.ipv4.conf.all.send_redirects static configuration
oval:ssg-test_static_sysctl_net_ipv4_conf_all_send_redirects:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/sysctl.conf | net.ipv4.conf.all.send_redirects=0 |
net.ipv4.conf.all.send_redirects static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_etc_sysctld_net_ipv4_conf_all_send_redirects:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/sysctl.d/99-sysctl.conf | net.ipv4.conf.all.send_redirects=0 |
net.ipv4.conf.all.send_redirects static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_run_sysctld_net_ipv4_conf_all_send_redirects:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_run_sysctld_net_ipv4_conf_all_send_redirects:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /run/sysctl.d | ^.*\.conf$ | ^[\s]*net.ipv4.conf.all.send_redirects[\s]*=[\s]*0[\s]*$ | 1 |
net.ipv4.conf.all.send_redirects static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_usr_lib_sysctld_net_ipv4_conf_all_send_redirects:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_usr_lib_sysctld_net_ipv4_conf_all_send_redirects:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /usr/lib/sysctl.d | ^.*\.conf$ | ^[\s]*net.ipv4.conf.all.send_redirects[\s]*=[\s]*0[\s]*$ | 1 |
kernel runtime parameter net.ipv4.conf.all.send_redirects set to 0
oval:ssg-test_sysctl_runtime_net_ipv4_conf_all_send_redirects:tst:1
true
Following items have been found on the system:
| Name | Value |
|---|
| net.ipv4.conf.all.send_redirects | 0 |
Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces by Defaultxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_send_redirects mediumCCE-80921-0
Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces by Default
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_send_redirects |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sysctl_net_ipv4_conf_default_send_redirects:def:1 |
| Time | 2021-08-12T02:37:19+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-80921-0 References:
BP28(R22), 3.1.2, 1, 11, 12, 13, 14, 15, 16, 18, 2, 3, 4, 6, 7, 8, 9, 5.10.1.1, APO01.06, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 3.1.20, CCI-000366, 4.2.3.4, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, 4.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-7(a), CM-7(b), SC-5, CM-6(a), SC-7(a), DE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.IP-1, PR.PT-3, PR.PT-4, SRG-OS-000480-GPOS-00227, RHEL-08-040270, SV-230543r599732_rule |
| Description | To set the runtime status of the net.ipv4.conf.default.send_redirects kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.default.send_redirects=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.default.send_redirects = 0 |
| Rationale | ICMP redirect messages are used by routers to inform hosts that a more
direct route exists for a particular destination. These messages contain information
from the system's route table possibly revealing portions of the network topology.
The ability to send ICMP redirects is only appropriate for systems acting as routers. |
OVAL test results detailsnet.ipv4.conf.default.send_redirects static configuration
oval:ssg-test_static_sysctl_net_ipv4_conf_default_send_redirects:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/sysctl.conf | net.ipv4.conf.default.send_redirects=0 |
net.ipv4.conf.default.send_redirects static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_etc_sysctld_net_ipv4_conf_default_send_redirects:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/sysctl.d/99-sysctl.conf | net.ipv4.conf.default.send_redirects=0 |
net.ipv4.conf.default.send_redirects static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_run_sysctld_net_ipv4_conf_default_send_redirects:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_run_sysctld_net_ipv4_conf_default_send_redirects:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /run/sysctl.d | ^.*\.conf$ | ^[\s]*net.ipv4.conf.default.send_redirects[\s]*=[\s]*0[\s]*$ | 1 |
net.ipv4.conf.default.send_redirects static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_usr_lib_sysctld_net_ipv4_conf_default_send_redirects:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_usr_lib_sysctld_net_ipv4_conf_default_send_redirects:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /usr/lib/sysctl.d | ^.*\.conf$ | ^[\s]*net.ipv4.conf.default.send_redirects[\s]*=[\s]*0[\s]*$ | 1 |
kernel runtime parameter net.ipv4.conf.default.send_redirects set to 0
oval:ssg-test_sysctl_runtime_net_ipv4_conf_default_send_redirects:tst:1
true
Following items have been found on the system:
| Name | Value |
|---|
| net.ipv4.conf.default.send_redirects | 0 |
Disable Kernel Parameter for IP Forwarding on IPv4 Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_ip_forward mediumCCE-81024-2
Disable Kernel Parameter for IP Forwarding on IPv4 Interfaces
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_ip_forward |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sysctl_net_ipv4_ip_forward:def:1 |
| Time | 2021-08-12T02:37:19+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-81024-2 References:
BP28(R22), 3.1.1., 1, 11, 12, 13, 14, 15, 16, 2, 3, 7, 8, 9, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS05.02, DSS05.05, DSS05.07, DSS06.06, 3.1.20, CCI-000366, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.9.1.2, CM-7(a), CM-7(b), SC-5, CM-6(a), SC-7(a), DE.CM-1, PR.DS-4, PR.IP-1, PR.PT-3, PR.PT-4, SRG-OS-000480-GPOS-00227, RHEL-08-040260, SV-230540r599732_rule |
| Description | To set the runtime status of the net.ipv4.ip_forward kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.ip_forward=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.ip_forward = 0 |
| Rationale | Routing protocol daemons are typically used on routers to exchange
network topology information with other routers. If this capability is used when
not required, system network information may be unnecessarily transmitted across
the network. |
| Warnings | warning
Certain technologies such as virtual machines, containers, etc. rely on IPv4 forwarding to enable and use networking.
Disabling IPv4 forwarding would cause those technologies to stop working. Therefore, this rule should not be used in
profiles or benchmarks that target usage of IPv4 forwarding. |
OVAL test results detailsnet.ipv4.ip_forward static configuration
oval:ssg-test_static_sysctl_net_ipv4_ip_forward:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/sysctl.conf | net.ipv4.ip_forward=0 |
net.ipv4.ip_forward static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_etc_sysctld_net_ipv4_ip_forward:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/sysctl.d/99-sysctl.conf | net.ipv4.ip_forward=0 |
net.ipv4.ip_forward static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_run_sysctld_net_ipv4_ip_forward:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_run_sysctld_net_ipv4_ip_forward:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /run/sysctl.d | ^.*\.conf$ | ^[\s]*net.ipv4.ip_forward[\s]*=[\s]*0[\s]*$ | 1 |
net.ipv4.ip_forward static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_usr_lib_sysctld_net_ipv4_ip_forward:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_usr_lib_sysctld_net_ipv4_ip_forward:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /usr/lib/sysctl.d | ^.*\.conf$ | ^[\s]*net.ipv4.ip_forward[\s]*=[\s]*0[\s]*$ | 1 |
kernel runtime parameter net.ipv4.ip_forward set to 0
oval:ssg-test_sysctl_runtime_net_ipv4_ip_forward:tst:1
true
Following items have been found on the system:
| Name | Value |
|---|
| net.ipv4.ip_forward | 0 |
Configure Multiple DNS Servers in /etc/resolv.confxccdf_org.ssgproject.content_rule_network_configure_name_resolution lowCCE-84049-6
Configure Multiple DNS Servers in /etc/resolv.conf
| Rule ID | xccdf_org.ssgproject.content_rule_network_configure_name_resolution |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-network_configure_name_resolution:def:1 |
| Time | 2021-08-12T02:37:18+00:00 |
| Severity | low |
| Identifiers and References | Identifiers:
CCE-84049-6 References:
12, 15, 8, APO13.01, DSS05.02, CCI-000366, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.13.1.1, A.13.2.1, A.14.1.3, SC-20(a), CM-6(a), PR.PT-4, SRG-OS-000480-GPOS-00227, RHEL-08-010680, SV-230316r599732_rule |
| Description | Multiple Domain Name System (DNS) Servers should be configured
in /etc/resolv.conf. This provides redundant name resolution services
in the event that a domain server crashes. To configure the system to contain
as least 2 DNS servers, add a corresponding nameserver
ip_address entry in /etc/resolv.conf for each DNS
server where ip_address is the IP address of a valid DNS server.
For example:
search example.com
nameserver 192.168.0.1
nameserver 192.168.0.2 |
| Rationale | To provide availability for name resolution services, multiple redundant
name servers are mandated. A failure in name resolution could lead to the
failure of security functions requiring name resolution, which may include
time synchronization, centralized authentication, and remote system logging. |
OVAL test results detailscheck if more than one nameserver in /etc/resolv.conf
oval:ssg-test_network_configure_name_resolution:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_network_configure_name_resolution:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/resolv.conf | ^[\s]*nameserver[\s]+([0-9\.]+)$ | 1 |
Ensure System is Not Acting as a Network Snifferxccdf_org.ssgproject.content_rule_network_sniffer_disabled mediumCCE-82283-3
Ensure System is Not Acting as a Network Sniffer
| Rule ID | xccdf_org.ssgproject.content_rule_network_sniffer_disabled |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-network_sniffer_disabled:def:1 |
| Time | 2021-08-12T02:37:18+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-82283-3 References:
1, 11, 14, 3, 9, APO11.06, APO12.06, BAI03.10, BAI09.01, BAI09.02, BAI09.03, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.05, DSS04.05, DSS05.02, DSS05.05, DSS06.06, CCI-000366, 4.2.3.4, 4.3.3.3.7, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, 4.4.3.4, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, SR 7.8, A.11.1.2, A.11.2.4, A.11.2.5, A.11.2.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.16.1.6, A.8.1.1, A.8.1.2, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), CM-7(2), MA-3, DE.DP-5, ID.AM-1, PR.IP-1, PR.MA-1, PR.PT-3, SRG-OS-000480-GPOS-00227, RHEL-08-040330, SV-230554r599732_rule |
| Description | The system should not be acting as a network sniffer, which can
capture all traffic on the network to which it is connected. Run the following
to determine if any interface is running in promiscuous mode:
$ ip link | grep PROMISC
Promiscuous mode of an interface can be disabled with the following command:
$ sudo ip link set dev device_name multicast off promisc off |
| Rationale | Network interfaces in promiscuous mode allow for the capture of all network traffic
visible to the system. If unauthorized individuals can access these applications, it
may allow them to collect information such as logon IDs, passwords, and key exchanges
between systems.
If the system is being used to perform a network troubleshooting function, the use of these
tools must be documented with the Information Systems Security Manager (ISSM) and restricted
to only authorized personnel. |
OVAL test results detailscheck all network interfaces for PROMISC flag
oval:ssg-test_promisc_interfaces:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_promisc_interfaces:obj:1 of type
interface_object
| Name | Filter |
|---|
| ^.*$ | oval:ssg-state_promisc:ste:1 |
Disable the Automounterxccdf_org.ssgproject.content_rule_service_autofs_disabled mediumCCE-80873-3
Disable the Automounter
| Rule ID | xccdf_org.ssgproject.content_rule_service_autofs_disabled |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-service_autofs_disabled:def:1 |
| Time | 2021-08-12T02:37:19+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-80873-3 References:
1.1.22, 1, 12, 15, 16, 5, APO13.01, DSS01.04, DSS05.03, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, 3.4.6, CCI-000366, CCI-000778, CCI-001958, 164.308(a)(3)(i), 164.308(a)(3)(ii)(A), 164.310(d)(1), 164.310(d)(2), 164.312(a)(1), 164.312(a)(2)(iv), 164.312(b), 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.6, A.11.2.6, A.13.1.1, A.13.2.1, A.18.1.4, A.6.2.1, A.6.2.2, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, CM-7(a), CM-7(b), CM-6(a), MP-7, PR.AC-1, PR.AC-3, PR.AC-6, PR.AC-7, SRG-OS-000114-GPOS-00059, SRG-OS-000378-GPOS-00163, SRG-OS-000480-GPOS-00227, RHEL-08-040070, SV-230502r599732_rule |
| Description | The autofs daemon mounts and unmounts filesystems, such as user
home directories shared via NFS, on demand. In addition, autofs can be used to handle
removable media, and the default configuration provides the cdrom device as /misc/cd.
However, this method of providing access to removable media is not common, so autofs
can almost always be disabled if NFS is not in use. Even if NFS is required, it may be
possible to configure filesystem mounts statically by editing /etc/fstab
rather than relying on the automounter.
The autofs service can be disabled with the following command:
$ sudo systemctl mask --now autofs.service |
| Rationale | Disabling the automounter permits the administrator to
statically control filesystem mounting through /etc/fstab.
Additionally, automatically mounting filesystems permits easy introduction of
unknown devices, thereby facilitating malicious activity. |
OVAL test results detailspackage autofs is removed
oval:ssg-test_service_autofs_package_autofs_removed:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_test_service_autofs_package_autofs_removed:obj:1 of type
rpminfo_object
Test that the autofs service is not running
oval:ssg-test_service_not_running_autofs:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_service_not_running_autofs:obj:1 of type
systemdunitproperty_object
| Unit | Property |
|---|
| ^autofs\.(service|socket)$ | ActiveState |
Test that the property LoadState from the service autofs is masked
oval:ssg-test_service_loadstate_is_masked_autofs:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_service_loadstate_is_masked_autofs:obj:1 of type
systemdunitproperty_object
| Unit | Property |
|---|
| ^autofs\.(service|socket)$ | LoadState |
Test that the property FragmentPath from the service autofs is set to /dev/null
oval:ssg-test_service_fragmentpath_is_dev_null_autofs:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_service_fragmentpath_is_dev_null_autofs:obj:1 of type
systemdunitproperty_object
| Unit | Property |
|---|
| ^autofs\.(service|socket)$ | FragmentPath |
Disable Mounting of cramfsxccdf_org.ssgproject.content_rule_kernel_module_cramfs_disabled lowCCE-81031-7
Disable Mounting of cramfs
| Rule ID | xccdf_org.ssgproject.content_rule_kernel_module_cramfs_disabled |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-kernel_module_cramfs_disabled:def:1 |
| Time | 2021-08-12T02:37:19+00:00 |
| Severity | low |
| Identifiers and References | Identifiers:
CCE-81031-7 References:
1.1.1.1, 11, 14, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, 3.4.6, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), PR.IP-1, PR.PT-3, SRG-OS-000095-GPOS-00049, RHEL-08-040025, SV-230498r599732_rule |
| Description |
To configure the system to prevent the cramfs
kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d:
install cramfs /bin/true
This effectively prevents usage of this uncommon filesystem.
The cramfs filesystem type is a compressed read-only
Linux filesystem embedded in small footprint systems. A
cramfs image can be used without having to first
decompress the image. |
| Rationale | Removing support for unneeded filesystem types reduces the local attack surface
of the server. |
OVAL test results detailskernel module cramfs disabled
oval:ssg-test_kernmod_cramfs_disabled:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/modprobe.d/"cramfs".conf | install cramfs /bin/true |
kernel module cramfs disabled in /etc/modules-load.d
oval:ssg-test_kernmod_cramfs_etcmodules-load:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_kernmod_cramfs_etcmodules-load:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /etc/modules-load.d | ^.*\.conf$ | ^\s*install\s+cramfs\s+(/bin/false|/bin/true)$ | 1 |
kernel module cramfs disabled in /run/modules-load.d
oval:ssg-test_kernmod_cramfs_runmodules-load:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_kernmod_cramfs_runmodules-load:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /run/modules-load.d | ^.*\.conf$ | ^\s*install\s+cramfs\s+(/bin/false|/bin/true)$ | 1 |
kernel module cramfs disabled in /usr/lib/modules-load.d
oval:ssg-test_kernmod_cramfs_libmodules-load:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_kernmod_cramfs_libmodules-load:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /usr/lib/modules-load.d | ^.*\.conf$ | ^\s*install\s+cramfs\s+(/bin/false|/bin/true)$ | 1 |
kernel module cramfs disabled in /run/modprobe.d
oval:ssg-test_kernmod_cramfs_runmodprobed:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_kernmod_cramfs_runmodprobed:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /run/modprobe.d | ^.*\.conf$ | ^\s*install\s+cramfs\s+(/bin/false|/bin/true)$ | 1 |
kernel module cramfs disabled in /usr/lib/modprobe.d
oval:ssg-test_kernmod_cramfs_libmodprobed:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_kernmod_cramfs_libmodprobed:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /usr/lib/modprobe.d | ^.*\.conf$ | ^\s*install\s+cramfs\s+(/bin/false|/bin/true)$ | 1 |
kernel module cramfs disabled in /etc/modprobe.conf
oval:ssg-test_kernmod_cramfs_modprobeconf:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_kernmod_cramfs_modprobeconf:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/modprobe.conf | ^\s*install\s+cramfs\s+(/bin/false|/bin/true)$ | 1 |
Disable Modprobe Loading of USB Storage Driverxccdf_org.ssgproject.content_rule_kernel_module_usb-storage_disabled mediumCCE-80835-2
Disable Modprobe Loading of USB Storage Driver
| Rule ID | xccdf_org.ssgproject.content_rule_kernel_module_usb-storage_disabled |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-kernel_module_usb-storage_disabled:def:1 |
| Time | 2021-08-12T02:37:19+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-80835-2 References:
1.1.23, 1, 12, 15, 16, 5, APO13.01, DSS01.04, DSS05.03, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, 3.1.21, CCI-000366, CCI-000778, CCI-001958, 164.308(a)(3)(i), 164.308(a)(3)(ii)(A), 164.310(d)(1), 164.310(d)(2), 164.312(a)(1), 164.312(a)(2)(iv), 164.312(b), 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.6, A.11.2.6, A.13.1.1, A.13.2.1, A.18.1.4, A.6.2.1, A.6.2.2, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, CM-7(a), CM-7(b), CM-6(a), MP-7, PR.AC-1, PR.AC-3, PR.AC-6, PR.AC-7, SRG-OS-000114-GPOS-00059, SRG-OS-000378-GPOS-00163, SRG-OS-000480-GPOS-00227, RHEL-08-040080, SV-230503r599732_rule |
| Description | To prevent USB storage devices from being used, configure the kernel module loading system
to prevent automatic loading of the USB storage driver.
To configure the system to prevent the usb-storage
kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d:
install usb-storage /bin/true
This will prevent the modprobe program from loading the usb-storage
module, but will not prevent an administrator (or another program) from using the
insmod program to load the module manually. |
| Rationale | USB storage devices such as thumb drives can be used to introduce
malicious software. |
OVAL test results detailskernel module usb-storage disabled
oval:ssg-test_kernmod_usb-storage_disabled:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/modprobe.d/"usb-storage".conf | install usb-storage /bin/true |
kernel module usb-storage disabled in /etc/modules-load.d
oval:ssg-test_kernmod_usb-storage_etcmodules-load:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_kernmod_usb-storage_etcmodules-load:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /etc/modules-load.d | ^.*\.conf$ | ^\s*install\s+usb-storage\s+(/bin/false|/bin/true)$ | 1 |
kernel module usb-storage disabled in /run/modules-load.d
oval:ssg-test_kernmod_usb-storage_runmodules-load:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_kernmod_usb-storage_runmodules-load:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /run/modules-load.d | ^.*\.conf$ | ^\s*install\s+usb-storage\s+(/bin/false|/bin/true)$ | 1 |
kernel module usb-storage disabled in /usr/lib/modules-load.d
oval:ssg-test_kernmod_usb-storage_libmodules-load:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_kernmod_usb-storage_libmodules-load:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /usr/lib/modules-load.d | ^.*\.conf$ | ^\s*install\s+usb-storage\s+(/bin/false|/bin/true)$ | 1 |
kernel module usb-storage disabled in /run/modprobe.d
oval:ssg-test_kernmod_usb-storage_runmodprobed:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_kernmod_usb-storage_runmodprobed:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /run/modprobe.d | ^.*\.conf$ | ^\s*install\s+usb-storage\s+(/bin/false|/bin/true)$ | 1 |
kernel module usb-storage disabled in /usr/lib/modprobe.d
oval:ssg-test_kernmod_usb-storage_libmodprobed:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_kernmod_usb-storage_libmodprobed:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /usr/lib/modprobe.d | ^.*\.conf$ | ^\s*install\s+usb-storage\s+(/bin/false|/bin/true)$ | 1 |
kernel module usb-storage disabled in /etc/modprobe.conf
oval:ssg-test_kernmod_usb-storage_modprobeconf:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_kernmod_usb-storage_modprobeconf:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/modprobe.conf | ^\s*install\s+usb-storage\s+(/bin/false|/bin/true)$ | 1 |
Verify that System Executables Have Root Ownershipxccdf_org.ssgproject.content_rule_file_ownership_binary_dirs mediumCCE-80806-3
Verify that System Executables Have Root Ownership
| Rule ID | xccdf_org.ssgproject.content_rule_file_ownership_binary_dirs |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-file_ownership_binary_dirs:def:1 |
| Time | 2021-08-12T02:38:13+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-80806-3 References:
12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, SRG-OS-000259-GPOS-00100, RHEL-08-010310, SV-230258r599732_rule |
| Description | System executables are stored in the following directories by default:
/bin
/sbin
/usr/bin
/usr/libexec
/usr/local/bin
/usr/local/sbin
/usr/sbin
All files in these directories should be owned by the root user.
If any file FILE in these directories is found
to be owned by a user other than root, correct its ownership with the
following command:
$ sudo chown root FILE |
| Rationale | System binaries are executed by privileged users as well as system services,
and restrictive permissions are necessary to ensure that their
execution of these programs cannot be co-opted. |
OVAL test results detailsbinary directories uid root
oval:ssg-test_ownership_binary_directories:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_ownership_binary_directories:obj:1 of type
file_object
| Path | Filename | Filter |
|---|
| ^\/(|s)bin|^\/usr\/(|local\/)(|s)bin|^\/usr\/libexec | no value | oval:ssg-state_owner_binaries_not_root:ste:1 |
binary files uid root
oval:ssg-test_ownership_binary_files:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_ownership_binary_files:obj:1 of type
file_object
| Path | Filename | Filter |
|---|
| ^\/(|s)bin|^\/usr\/(|local\/)(|s)bin|^\/usr\/libexec | ^.*$ | oval:ssg-state_owner_binaries_not_root:ste:1 |
Verify that System Executables Have Restrictive Permissionsxccdf_org.ssgproject.content_rule_file_permissions_binary_dirs mediumCCE-80809-7
Verify that System Executables Have Restrictive Permissions
| Rule ID | xccdf_org.ssgproject.content_rule_file_permissions_binary_dirs |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-file_permissions_binary_dirs:def:1 |
| Time | 2021-08-12T02:38:13+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-80809-7 References:
12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, SRG-OS-000259-GPOS-00100, RHEL-08-010300, SV-230257r599732_rule |
| Description | System executables are stored in the following directories by default:
/bin
/sbin
/usr/bin
/usr/libexec
/usr/local/bin
/usr/local/sbin
/usr/sbin
All files in these directories should not be group-writable or world-writable.
If any file FILE in these directories is found
to be group-writable or world-writable, correct its permission with the
following command:
$ sudo chmod go-w FILE |
| Rationale | System binaries are executed by privileged users, as well as system services,
and restrictive permissions are necessary to ensure execution of these programs
cannot be co-opted. |
OVAL test results detailsbinary files go-w
oval:ssg-test_perms_binary_files:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_permissions_binary_files:obj:1 of type
file_object
| Path | Filename | Filter | Filter |
|---|
| ^\/(|s)bin|^\/usr\/(|local\/)(|s)bin|^\/usr\/libexec | ^.*$ | oval:ssg-state_perms_binary_files_nogroupwrite_noworldwrite:ste:1 | oval:ssg-state_perms_binary_files_symlink:ste:1 |
Verify that Shared Library Files Have Restrictive Permissionsxccdf_org.ssgproject.content_rule_file_permissions_library_dirs mediumCCE-80815-4
Verify that Shared Library Files Have Restrictive Permissions
| Rule ID | xccdf_org.ssgproject.content_rule_file_permissions_library_dirs |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-file_permissions_library_dirs:def:1 |
| Time | 2021-08-12T02:38:23+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-80815-4 References:
12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, SRG-OS-000259-GPOS-00100, RHEL-08-010330, SV-230260r599732_rule |
| Description | System-wide shared library files, which are linked to executables
during process load time or run time, are stored in the following directories
by default:
/lib
/lib64
/usr/lib
/usr/lib64
Kernel modules, which can be added to the kernel during runtime, are
stored in /lib/modules. All files in these directories
should not be group-writable or world-writable. If any file in these
directories is found to be group-writable or world-writable, correct
its permission with the following command:
$ sudo chmod go-w FILE |
| Rationale | Files from shared library directories are loaded into the address
space of processes (including privileged ones) or of the kernel itself at
runtime. Restrictive permissions are necessary to protect the integrity of the system. |
OVAL test results detailslibrary directories go-w
oval:ssg-test_perms_lib_dir:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_permissions_lib_dir:obj:1 of type
file_object
| Path | Filename | Filter | Filter |
|---|
| ^\/lib(|64)|^\/usr\/lib(|64) | no value | oval:ssg-state_perms_nogroupwrite_noworldwrite:ste:1 | oval:ssg-perms_state_symlink:ste:1 |
library files go-w
oval:ssg-test_perms_lib_files:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_permissions_lib_files:obj:1 of type
file_object
| Path | Filename | Filter | Filter |
|---|
| ^\/lib(|64)|^\/usr\/lib(|64) | ^.*$ | oval:ssg-state_perms_nogroupwrite_noworldwrite:ste:1 | oval:ssg-perms_state_symlink:ste:1 |
Verify that Shared Library Files Have Root Ownershipxccdf_org.ssgproject.content_rule_file_ownership_library_dirs mediumCCE-80807-1
Verify that Shared Library Files Have Root Ownership
| Rule ID | xccdf_org.ssgproject.content_rule_file_ownership_library_dirs |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-file_ownership_library_dirs:def:1 |
| Time | 2021-08-12T02:38:23+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-80807-1 References:
12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, SRG-OS-000259-GPOS-00100, RHEL-08-010340, SV-230261r599732_rule |
| Description | System-wide shared library files, which are linked to executables
during process load time or run time, are stored in the following directories
by default:
/lib
/lib64
/usr/lib
/usr/lib64
Kernel modules, which can be added to the kernel during runtime, are also
stored in /lib/modules. All files in these directories should be
owned by the root user. If the directory, or any file in these
directories, is found to be owned by a user other than root correct its
ownership with the following command:
$ sudo chown root FILE |
| Rationale | Files from shared library directories are loaded into the address
space of processes (including privileged ones) or of the kernel itself at
runtime. Proper ownership is necessary to protect the integrity of the system. |
OVAL test results detailslibrary directories uid root
oval:ssg-test_ownership_lib_dir:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_ownership_lib_dir:obj:1 of type
file_object
| Path | Filename | Filter |
|---|
| ^\/lib(|64)\/|^\/usr\/lib(|64)\/ | no value | oval:ssg-state_owner_libraries_not_root:ste:1 |
library files uid root
oval:ssg-test_ownership_lib_files:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_ownership_lib_files:obj:1 of type
file_object
| Path | Filename | Filter |
|---|
| ^\/lib(|64)\/|^\/usr\/lib(|64)\/ | ^.*$ | oval:ssg-state_owner_libraries_not_root:ste:1 |
Verify that All World-Writable Directories Have Sticky Bits Setxccdf_org.ssgproject.content_rule_dir_perms_world_writable_sticky_bits mediumCCE-80783-4
Verify that All World-Writable Directories Have Sticky Bits Set
| Rule ID | xccdf_org.ssgproject.content_rule_dir_perms_world_writable_sticky_bits |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-dir_perms_world_writable_sticky_bits:def:1 |
| Time | 2021-08-12T02:37:31+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-80783-4 References:
12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, SRG-OS-000138-GPOS-00069, RHEL-08-010190, SV-230243r599732_rule |
| Description | When the so-called 'sticky bit' is set on a directory,
only the owner of a given file may remove that file from the
directory. Without the sticky bit, any user with write access to a
directory may remove any file in the directory. Setting the sticky
bit prevents users from removing each other's files. In cases where
there is no reason for a directory to be world-writable, a better
solution is to remove that permission rather than to set the sticky
bit. However, if a directory is used by a particular application,
consult that application's documentation instead of blindly
changing modes.
To set the sticky bit on a world-writable directory DIR, run the
following command:
$ sudo chmod +t DIR |
| Rationale | Failing to set the sticky bit on public directories allows unauthorized
users to delete files in the directory structure.
The only authorized public directories are those temporary directories
supplied with the system, or those designed to be temporary file
repositories. The setting is normally reserved for directories used by the
system, by users for temporary file storage (such as /tmp), and
for directories requiring global read/write access. |
OVAL test results detailsall local world-writable directories have sticky bit set
oval:ssg-test_dir_perms_world_writable_sticky_bits:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_only_local_directories:obj:1 of type
file_object
| Behaviors | Path | Filename | Filter |
|---|
| no value | / | no value | oval:ssg-state_world_writable_and_not_sticky:ste:1 |
Enable Kernel Parameter to Enforce DAC on Symlinksxccdf_org.ssgproject.content_rule_sysctl_fs_protected_symlinks mediumCCE-81030-9
Enable Kernel Parameter to Enforce DAC on Symlinks
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_fs_protected_symlinks |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sysctl_fs_protected_symlinks:def:1 |
| Time | 2021-08-12T02:37:31+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-81030-9 References:
BP28(R23), 1.6.1, CM-6(a), AC-6(1), SRG-OS-000324-GPOS-00125, RHEL-08-010373, SV-230267r599732_rule |
| Description | To set the runtime status of the fs.protected_symlinks kernel parameter, run the following command: $ sudo sysctl -w fs.protected_symlinks=1
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: fs.protected_symlinks = 1 |
| Rationale | By enabling this kernel parameter, symbolic links are permitted to be followed
only when outside a sticky world-writable directory, or when the UID of the
link and follower match, or when the directory owner matches the symlink's owner.
Disallowing such symlinks helps mitigate vulnerabilities based on insecure file system
accessed by privileged programs, avoiding an exploitation vector exploiting unsafe use of
open() or creat(). |
OVAL test results detailsfs.protected_symlinks static configuration
oval:ssg-test_static_sysctl_fs_protected_symlinks:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/sysctl.conf | fs.protected_symlinks=1 |
fs.protected_symlinks static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_etc_sysctld_fs_protected_symlinks:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/sysctl.d/99-sysctl.conf | fs.protected_symlinks=1 |
fs.protected_symlinks static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_run_sysctld_fs_protected_symlinks:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_run_sysctld_fs_protected_symlinks:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /run/sysctl.d | ^.*\.conf$ | ^[\s]*fs.protected_symlinks[\s]*=[\s]*1[\s]*$ | 1 |
fs.protected_symlinks static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_usr_lib_sysctld_fs_protected_symlinks:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /usr/lib/sysctl.d/50-default.conf | fs.protected_symlinks = 1
|
kernel runtime parameter fs.protected_symlinks set to 1
oval:ssg-test_sysctl_runtime_fs_protected_symlinks:tst:1
true
Following items have been found on the system:
| Name | Value |
|---|
| fs.protected_symlinks | 1 |
Ensure All Files Are Owned by a Userxccdf_org.ssgproject.content_rule_no_files_unowned_by_user mediumCCE-83499-4
Ensure All Files Are Owned by a User
| Rule ID | xccdf_org.ssgproject.content_rule_no_files_unowned_by_user |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-no_files_unowned_by_user:def:1 |
| Time | 2021-08-12T02:37:50+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-83499-4 References:
6.1.11, 11, 12, 13, 14, 15, 16, 18, 3, 5, 9, APO01.06, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.03, DSS06.06, CCI-000366, CCI-002165, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.1, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), PR.AC-4, PR.AC-6, PR.DS-5, PR.IP-1, PR.PT-3, SRG-OS-000480-GPOS-00227, RHEL-08-010780, SV-230326r599732_rule |
| Description | If any files are not owned by a user, then the
cause of their lack of ownership should be investigated.
Following this, the files should be deleted or assigned to an
appropriate user. |
| Rationale | Unowned files do not directly imply a security problem, but they are generally
a sign that something is amiss. They may
be caused by an intruder, by incorrect software installation or
draft software removal, or by failure to remove all files belonging
to a deleted account. The files should be repaired so they
will not cause problems when accounts are created in the future,
and the cause should be discovered and addressed. |
| Warnings | warning
For this rule to evaluate centralized user accounts, getent must be working properly
so that running the command getent passwd returns a list of all users in your organization.
If using the System Security Services Daemon (SSSD), enumerate = true must be configured
in your organization's domain to return a complete list of users warning
Enabling this rule will result in slower scan times depending on the size of your organization
and number of centralized users. |
OVAL test results detailsCheck user ids on all files on the system
oval:ssg-no_files_unowned_by_user_test:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-file_permissions_unowned_object:obj:1 of type
file_object
| Behaviors | Path | Filename | Filter |
|---|
| no value | / | .* | oval:ssg-file_permissions_unowned_userid_list_match:ste:1 |
Ensure All Files Are Owned by a Groupxccdf_org.ssgproject.content_rule_file_permissions_ungroupowned mediumCCE-83497-8
Ensure All Files Are Owned by a Group
| Rule ID | xccdf_org.ssgproject.content_rule_file_permissions_ungroupowned |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-file_permissions_ungroupowned:def:1 |
| Time | 2021-08-12T02:38:09+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-83497-8 References:
6.1.12, 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.02, DSS06.03, DSS06.06, DSS06.10, CCI-000366, CCI-002165, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.18.1.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, PR.DS-5, PR.PT-3, SRG-OS-000480-GPOS-00227, RHEL-08-010790, SV-230327r599732_rule |
| Description | If any files are not owned by a group, then the
cause of their lack of group-ownership should be investigated.
Following this, the files should be deleted or assigned to an
appropriate group. |
| Rationale | Unowned files do not directly imply a security problem, but they are generally
a sign that something is amiss. They may
be caused by an intruder, by incorrect software installation or
draft software removal, or by failure to remove all files belonging
to a deleted account. The files should be repaired so they
will not cause problems when accounts are created in the future,
and the cause should be discovered and addressed. |
| Warnings | warning
This rule only considers local groups.
If you have your groups defined outside /etc/group, the rule won't consider those. |
OVAL test results detailsfiles with no group owner
oval:ssg-test_file_permissions_ungroupowned:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_permissions_ungroupowned:obj:1 of type
file_object
| Behaviors | Path | Filename | Filter |
|---|
| no value | / | .* | oval:ssg-state_file_permissions_ungroupowned:ste:1 |
Enable Kernel Parameter to Enforce DAC on Hardlinksxccdf_org.ssgproject.content_rule_sysctl_fs_protected_hardlinks mediumCCE-81027-5
Enable Kernel Parameter to Enforce DAC on Hardlinks
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_fs_protected_hardlinks |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sysctl_fs_protected_hardlinks:def:1 |
| Time | 2021-08-12T02:38:09+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-81027-5 References:
BP28(R23), 1.6.1, CM-6(a), AC-6(1), SRG-OS-000324-GPOS-00125, RHEL-08-010374, SV-230268r599818_rule |
| Description | To set the runtime status of the fs.protected_hardlinks kernel parameter, run the following command: $ sudo sysctl -w fs.protected_hardlinks=1
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: fs.protected_hardlinks = 1 |
| Rationale | By enabling this kernel parameter, users can no longer create soft or hard links to
files which they do not own. Disallowing such hardlinks mitigate vulnerabilities
based on insecure file system accessed by privileged programs, avoiding an
exploitation vector exploiting unsafe use of open() or creat(). |
OVAL test results detailsfs.protected_hardlinks static configuration
oval:ssg-test_static_sysctl_fs_protected_hardlinks:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/sysctl.conf | fs.protected_hardlinks=1 |
fs.protected_hardlinks static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_etc_sysctld_fs_protected_hardlinks:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/sysctl.d/99-sysctl.conf | fs.protected_hardlinks=1 |
fs.protected_hardlinks static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_run_sysctld_fs_protected_hardlinks:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_run_sysctld_fs_protected_hardlinks:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /run/sysctl.d | ^.*\.conf$ | ^[\s]*fs.protected_hardlinks[\s]*=[\s]*1[\s]*$ | 1 |
fs.protected_hardlinks static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_usr_lib_sysctld_fs_protected_hardlinks:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /usr/lib/sysctl.d/50-default.conf | fs.protected_hardlinks = 1 |
kernel runtime parameter fs.protected_hardlinks set to 1
oval:ssg-test_sysctl_runtime_fs_protected_hardlinks:tst:1
true
Following items have been found on the system:
| Name | Value |
|---|
| fs.protected_hardlinks | 1 |
Ensure All World-Writable Directories Are Owned by root userxccdf_org.ssgproject.content_rule_dir_perms_world_writable_root_owned mediumCCE-83375-6
Ensure All World-Writable Directories Are Owned by root user
| Rule ID | xccdf_org.ssgproject.content_rule_dir_perms_world_writable_root_owned |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-dir_perms_world_writable_root_owned:def:1 |
| Time | 2021-08-12T02:38:12+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-83375-6 References:
BP28(R40), SRG-OS-000480-GPOS-00227, RHEL-08-010700, SV-230318r599732_rule |
| Description | All directories in local partitions which are world-writable should be owned
by root. If any world-writable directories are not owned by root, this
should be investigated. Following this, the files should be deleted or
assigned to root user. |
| Rationale | Allowing a user account to own a world-writable directory is
undesirable because it allows the owner of that directory to remove
or replace any files that may be placed in the directory by other
users. |
OVAL test results detailscheck for local directories that are world writable and have uid greater than 0
oval:ssg-test_dir_world_writable_uid_gt_zero:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-all_local_directories_uid_zero:obj:1 of type
file_object
| Behaviors | Path | Filename | Filter |
|---|
| no value | / | no value | oval:ssg-state_uid_is_not_root_and_world_writable:ste:1 |
Enable SLUB/SLAB allocator poisoningxccdf_org.ssgproject.content_rule_grub2_slub_debug_argument mediumCCE-80945-9
Enable SLUB/SLAB allocator poisoning
| Rule ID | xccdf_org.ssgproject.content_rule_grub2_slub_debug_argument |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-grub2_slub_debug_argument:def:1 |
| Time | 2021-08-12T02:38:23+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-80945-9 References:
CM-6(a), SRG-OS-000433-GPOS-00192, RHEL-08-010423, SV-230279r599732_rule |
| Description | To enable poisoning of SLUB/SLAB objects,
add the argument slub_debug=P to the default
GRUB 2 command line for the Linux operating system in
/etc/default/grub, in the manner below:
GRUB_CMDLINE_LINUX="slub_debug=P" |
| Rationale | Poisoning writes an arbitrary value to freed objects, so any modification or
reference to that object after being freed or before being initialized will be
detected and prevented.
This prevents many types of use-after-free vulnerabilities at little performance cost.
Also prevents leak of data and detection of corrupted memory. |
| Warnings | warning
The GRUB 2 configuration file, grub.cfg,
is automatically updated each time a new kernel is installed. Note that any
changes to /etc/default/grub require rebuilding the grub.cfg
file. To update the GRUB 2 configuration file manually, use the
grub2-mkconfig -o command as follows:
|
OVAL test results detailscheck forkernel command line parameters slub_debug=P in /boot/grub2/grubenv for all kernels
oval:ssg-test_grub2_slub_debug_argument_grub_env:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /boot/grub2/grubenv | kernelopts=root=UUID=fab9287a-70f3-4573-b393-f09902623b96 ro console=ttyS0,115200n8 console=tty0 net.ifnames=0 rd.blacklist=nouveau nvme_core.io_timeout=4294967295 crashkernel=auto audit=1 audit_backlog_limit=8192 pti=on vsyscall=none slub_debug=P page_poison=1 fips=1 |
Enable page allocator poisoningxccdf_org.ssgproject.content_rule_grub2_page_poison_argument mediumCCE-80944-2
Enable page allocator poisoning
| Rule ID | xccdf_org.ssgproject.content_rule_grub2_page_poison_argument |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-grub2_page_poison_argument:def:1 |
| Time | 2021-08-12T02:38:23+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-80944-2 References:
CM-6(a), SRG-OS-000480-GPOS-00227, RHEL-08-010421, SV-230277r599732_rule |
| Description | To enable poisoning of free pages,
add the argument page_poison=1 to the default
GRUB 2 command line for the Linux operating system in
/etc/default/grub, in the manner below:
GRUB_CMDLINE_LINUX="page_poison=1" |
| Rationale | Poisoning writes an arbitrary value to freed pages, so any modification or
reference to that page after being freed or before being initialized will be
detected and prevented.
This prevents many types of use-after-free vulnerabilities at little performance cost.
Also prevents leak of data and detection of corrupted memory. |
| Warnings | warning
The GRUB 2 configuration file, grub.cfg,
is automatically updated each time a new kernel is installed. Note that any
changes to /etc/default/grub require rebuilding the grub.cfg
file. To update the GRUB 2 configuration file manually, use the
grub2-mkconfig -o command as follows:
|
OVAL test results detailscheck forkernel command line parameters page_poison=1 in /boot/grub2/grubenv for all kernels
oval:ssg-test_grub2_page_poison_argument_grub_env:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /boot/grub2/grubenv | kernelopts=root=UUID=fab9287a-70f3-4573-b393-f09902623b96 ro console=ttyS0,115200n8 console=tty0 net.ifnames=0 rd.blacklist=nouveau nvme_core.io_timeout=4294967295 crashkernel=auto audit=1 audit_backlog_limit=8192 pti=on vsyscall=none slub_debug=P page_poison=1 fips=1 |
Restrict Exposed Kernel Pointer Addresses Accessxccdf_org.ssgproject.content_rule_sysctl_kernel_kptr_restrict mediumCCE-80915-2
Restrict Exposed Kernel Pointer Addresses Access
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_kernel_kptr_restrict |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sysctl_kernel_kptr_restrict:def:1 |
| Time | 2021-08-12T02:38:23+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-80915-2 References:
BP28(R23), SC-30, SC-30(2), SC-30(5), CM-6(a), SRG-OS-000132-GPOS-00067, RHEL-08-040283, SV-230547r599732_rule |
| Description | To set the runtime status of the kernel.kptr_restrict kernel parameter, run the following command: $ sudo sysctl -w kernel.kptr_restrict=1
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: kernel.kptr_restrict = 1 |
| Rationale | Exposing kernel pointers (through procfs or seq_printf()) exposes
kernel writeable structures that can contain functions pointers. If a write vulnereability occurs
in the kernel allowing a write access to any of this structure, the kernel can be compromise. This
option disallow any program withtout the CAP_SYSLOG capability from getting the kernel pointers addresses,
replacing them with 0. |
OVAL test results detailskernel.kptr_restrict static configuration
oval:ssg-test_static_sysctl_kernel_kptr_restrict:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/sysctl.conf | kernel.kptr_restrict=1 |
kernel.kptr_restrict static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_etc_sysctld_kernel_kptr_restrict:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/sysctl.d/99-sysctl.conf | kernel.kptr_restrict=1 |
kernel.kptr_restrict static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_run_sysctld_kernel_kptr_restrict:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_run_sysctld_kernel_kptr_restrict:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /run/sysctl.d | ^.*\.conf$ | ^[\s]*kernel.kptr_restrict[\s]*=[\s]*1[\s]*$ | 1 |
kernel.kptr_restrict static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_usr_lib_sysctld_kernel_kptr_restrict:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /usr/lib/sysctl.d/50-default.conf | kernel.kptr_restrict = 1
|
kernel runtime parameter kernel.kptr_restrict set to 1
oval:ssg-test_sysctl_runtime_kernel_kptr_restrict:tst:1
true
Following items have been found on the system:
| Name | Value |
|---|
| kernel.kptr_restrict | 1 |
Enable Randomized Layout of Virtual Address Spacexccdf_org.ssgproject.content_rule_sysctl_kernel_randomize_va_space mediumCCE-80916-0
Enable Randomized Layout of Virtual Address Space
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_kernel_randomize_va_space |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sysctl_kernel_randomize_va_space:def:1 |
| Time | 2021-08-12T02:38:23+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-80916-0 References:
BP28(R23), 1.6.2, 3.1.7, CCI-000366, CCI-002824, 164.308(a)(1)(ii)(D), 164.308(a)(3), 164.308(a)(4), 164.310(b), 164.310(c), 164.312(a), 164.312(e), SC-30, SC-30(2), CM-6(a), SRG-OS-000433-GPOS-00193, SRG-OS-000480-GPOS-00227, RHEL-08-010430, SV-230280r599732_rule |
| Description | To set the runtime status of the kernel.randomize_va_space kernel parameter, run the following command: $ sudo sysctl -w kernel.randomize_va_space=2
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: kernel.randomize_va_space = 2 |
| Rationale | Address space layout randomization (ASLR) makes it more difficult for an
attacker to predict the location of attack code they have introduced into a
process's address space during an attempt at exploitation. Additionally,
ASLR makes it more difficult for an attacker to know the location of
existing code in order to re-purpose it using return oriented programming
(ROP) techniques. |
OVAL test results detailskernel.randomize_va_space static configuration
oval:ssg-test_static_sysctl_kernel_randomize_va_space:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/sysctl.conf | kernel.randomize_va_space=2 |
kernel.randomize_va_space static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_etc_sysctld_kernel_randomize_va_space:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/sysctl.d/99-sysctl.conf | kernel.randomize_va_space=2 |
kernel.randomize_va_space static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_run_sysctld_kernel_randomize_va_space:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_run_sysctld_kernel_randomize_va_space:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /run/sysctl.d | ^.*\.conf$ | ^[\s]*kernel.randomize_va_space[\s]*=[\s]*2[\s]*$ | 1 |
kernel.randomize_va_space static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_usr_lib_sysctld_kernel_randomize_va_space:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_usr_lib_sysctld_kernel_randomize_va_space:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /usr/lib/sysctl.d | ^.*\.conf$ | ^[\s]*kernel.randomize_va_space[\s]*=[\s]*2[\s]*$ | 1 |
kernel runtime parameter kernel.randomize_va_space set to 2
oval:ssg-test_sysctl_runtime_kernel_randomize_va_space:tst:1
true
Following items have been found on the system:
| Name | Value |
|---|
| kernel.randomize_va_space | 2 |
Disable acquiring, saving, and processing core dumpsxccdf_org.ssgproject.content_rule_service_systemd-coredump_disabled mediumCCE-82881-4
Disable acquiring, saving, and processing core dumps
| Rule ID | xccdf_org.ssgproject.content_rule_service_systemd-coredump_disabled |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-service_systemd-coredump_disabled:def:1 |
| Time | 2021-08-12T02:38:23+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-82881-4 References:
FMT_SMF_EXT.1, SRG-OS-000480-GPOS-00227, RHEL-08-010672, SV-230312r599782_rule |
| Description | The systemd-coredump.socket unit is a socket activation of
the systemd-coredump@.service which processes core dumps.
By masking the unit, core dump processing is disabled. |
| Rationale | A core dump includes a memory image taken at the time the operating system
terminates an application. The memory image could contain sensitive data
and is generally useful only for developers trying to debug problems. |
OVAL test results detailspackage systemd is removed
oval:ssg-test_service_systemd-coredump_package_systemd_removed:tst:1
false
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| systemd | x86_64 | (none) | 45.el8_4.3 | 239 | 0:239-45.el8_4.3 | 199e2f91fd431d51 | systemd-0:239-45.el8_4.3.x86_64 |
Test that the systemd-coredump service is not running
oval:ssg-test_service_not_running_systemd-coredump:tst:1
true
Following items have been found on the system:
| Unit | Property | Value |
|---|
| systemd-coredump.socket | ActiveState | inactive |
Test that the property LoadState from the service systemd-coredump is masked
oval:ssg-test_service_loadstate_is_masked_systemd-coredump:tst:1
true
Following items have been found on the system:
| Unit | Property | Value |
|---|
| systemd-coredump.socket | LoadState | masked |
Test that the property FragmentPath from the service systemd-coredump is set to /dev/null
oval:ssg-test_service_fragmentpath_is_dev_null_systemd-coredump:tst:1
true
Following items have been found on the system:
| Unit | Property | Value |
|---|
| systemd-coredump.socket | FragmentPath | /dev/null |
Disable Core Dumps for All Usersxccdf_org.ssgproject.content_rule_disable_users_coredumps mediumCCE-81038-2
Disable Core Dumps for All Users
| Rule ID | xccdf_org.ssgproject.content_rule_disable_users_coredumps |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-disable_users_coredumps:def:1 |
| Time | 2021-08-12T02:38:23+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-81038-2 References:
1.6.1, 1, 12, 13, 15, 16, 2, 7, 8, APO13.01, BAI04.04, DSS01.03, DSS03.05, DSS05.07, SR 6.2, SR 7.1, SR 7.2, A.12.1.3, A.17.2.1, DE.CM-1, PR.DS-4, SRG-OS-000480-GPOS-00227, RHEL-08-010673, SV-230313r599784_rule |
| Description | To disable core dumps for all users, add the following line to
/etc/security/limits.conf, or to a file within the
/etc/security/limits.d/ directory:
* hard core 0 |
| Rationale | A core dump includes a memory image taken at the time the operating system
terminates an application. The memory image could contain sensitive data and is generally useful
only for developers trying to debug problems. |
OVAL test results detailsTests the value of the ^[\s]*\*[\s]+(hard|-)[\s]+core[\s]+([\d]+) setting in the /etc/security/limits.d directory
oval:ssg-test_core_dumps_limits_d:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_core_dumps_limits_d:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /etc/security/limits.d | ^.*\.conf$ | ^[\s]*\*[\s]+(?:hard|-)[\s]+core[\s]+([\d]+) | 1 |
Tests for existance of the ^[\s]*\*[\s]+(hard|-)[\s]+core setting in the /etc/security/limits.d directory
oval:ssg-test_core_dumps_limits_d_exists:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_core_dumps_limits_d_exists:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /etc/security/limits.d | ^.*\.conf$ | ^[\s]*\*[\s]+(?:hard|-)[\s]+core | 1 |
Tests the value of the ^[\s]*\*[\s]+(hard|-)[\s]+core[\s]+([\d]+) setting in the /etc/security/limits.conf file
oval:ssg-test_core_dumps_limitsconf:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/security/limits.conf | * hard core 0 |
Disable core dump backtracesxccdf_org.ssgproject.content_rule_coredump_disable_backtraces mediumCCE-82251-0
Disable core dump backtraces
| Rule ID | xccdf_org.ssgproject.content_rule_coredump_disable_backtraces |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-coredump_disable_backtraces:def:1 |
| Time | 2021-08-12T02:38:23+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-82251-0 References:
1.6.1, FMT_SMF_EXT.1, SRG-OS-000480-GPOS-00227, RHEL-08-010675, SV-230315r599732_rule |
| Description | The ProcessSizeMax option in [Coredump] section
of /etc/systemd/coredump.conf
specifies the maximum size in bytes of a core which will be processed.
Core dumps exceeding this size may be stored, but the backtrace will not
be generated. |
| Rationale | A core dump includes a memory image taken at the time the operating system
terminates an application. The memory image could contain sensitive data
and is generally useful only for developers or system operators trying to
debug problems.
Enabling core dumps on production systems is not recommended,
however there may be overriding operational requirements to enable advanced
debuging. Permitting temporary enablement of core dumps during such situations
should be reviewed through local needs and policy. |
| Warnings | warning
If the /etc/systemd/coredump.conf file
does not already contain the [Coredump] section,
the value will not be configured correctly. |
OVAL test results detailstests the value of ProcessSizeMax setting in the /etc/systemd/coredump.conf file
oval:ssg-test_coredump_disable_backtraces:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/systemd/coredump.conf |
[Coredump]
#Storage=external
#Compress=yes
#ProcessSizeMax=2G
#ExternalSizeMax=2G
#JournalSizeMax=767M
#MaxUse=
#KeepFree=
Storage=none
ProcessSizeMax=0 |
Disable storing core dumpxccdf_org.ssgproject.content_rule_coredump_disable_storage mediumCCE-82252-8
Disable storing core dump
| Rule ID | xccdf_org.ssgproject.content_rule_coredump_disable_storage |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-coredump_disable_storage:def:1 |
| Time | 2021-08-12T02:38:23+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-82252-8 References:
1.6.1, FMT_SMF_EXT.1, SRG-OS-000480-GPOS-00227, RHEL-08-010674, SV-230314r599732_rule |
| Description | The Storage option in [Coredump] section
of /etc/systemd/coredump.conf
can be set to none to disable storing core dumps permanently. |
| Rationale | A core dump includes a memory image taken at the time the operating system
terminates an application. The memory image could contain sensitive data
and is generally useful only for developers or system operators trying to
debug problems. Enabling core dumps on production systems is not recommended,
however there may be overriding operational requirements to enable advanced
debuging. Permitting temporary enablement of core dumps during such situations
should be reviewed through local needs and policy. |
| Warnings | warning
If the /etc/systemd/coredump.conf file
does not already contain the [Coredump] section,
the value will not be configured correctly. |
OVAL test results detailstests the value of Storage setting in the /etc/systemd/coredump.conf file
oval:ssg-test_coredump_disable_storage:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/systemd/coredump.conf |
[Coredump]
#Storage=external
#Compress=yes
#ProcessSizeMax=2G
#ExternalSizeMax=2G
#JournalSizeMax=767M
#MaxUse=
#KeepFree=
Storage=none |
Disallow kernel profiling by unprivileged usersxccdf_org.ssgproject.content_rule_sysctl_kernel_perf_event_paranoid mediumCCE-81054-9
Disallow kernel profiling by unprivileged users
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_kernel_perf_event_paranoid |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sysctl_kernel_perf_event_paranoid:def:1 |
| Time | 2021-08-12T02:38:23+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-81054-9 References:
BP28(R23), FMT_SMF_EXT.1, SRG-OS-000132-GPOS-00067, RHEL-08-010376, SV-230270r599823_rule |
| Description | To set the runtime status of the kernel.perf_event_paranoid kernel parameter, run the following command: $ sudo sysctl -w kernel.perf_event_paranoid=2
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: kernel.perf_event_paranoid = 2 |
| Rationale | Kernel profiling can reveal sensitive information about kernel behaviour. |
OVAL test results detailskernel.perf_event_paranoid static configuration
oval:ssg-test_static_sysctl_kernel_perf_event_paranoid:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/sysctl.conf | kernel.perf_event_paranoid=2 |
kernel.perf_event_paranoid static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_etc_sysctld_kernel_perf_event_paranoid:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/sysctl.d/99-sysctl.conf | kernel.perf_event_paranoid=2 |
kernel.perf_event_paranoid static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_run_sysctld_kernel_perf_event_paranoid:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_run_sysctld_kernel_perf_event_paranoid:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /run/sysctl.d | ^.*\.conf$ | ^[\s]*kernel.perf_event_paranoid[\s]*=[\s]*2[\s]*$ | 1 |
kernel.perf_event_paranoid static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_usr_lib_sysctld_kernel_perf_event_paranoid:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_usr_lib_sysctld_kernel_perf_event_paranoid:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /usr/lib/sysctl.d | ^.*\.conf$ | ^[\s]*kernel.perf_event_paranoid[\s]*=[\s]*2[\s]*$ | 1 |
kernel runtime parameter kernel.perf_event_paranoid set to 2
oval:ssg-test_sysctl_runtime_kernel_perf_event_paranoid:tst:1
true
Following items have been found on the system:
| Name | Value |
|---|
| kernel.perf_event_paranoid | 2 |
Disable storing core dumpsxccdf_org.ssgproject.content_rule_sysctl_kernel_core_pattern mediumCCE-82215-5
Disable storing core dumps
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_kernel_core_pattern |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sysctl_kernel_core_pattern:def:1 |
| Time | 2021-08-12T02:38:23+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-82215-5 References:
FMT_SMF_EXT.1, SRG-OS-000480-GPOS-00227, RHEL-08-010671, SV-230311r599732_rule |
| Description | To set the runtime status of the kernel.core_pattern kernel parameter, run the following command: $ sudo sysctl -w kernel.core_pattern=|/bin/false
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: kernel.core_pattern = |/bin/false |
| Rationale | A core dump includes a memory image taken at the time the operating system
terminates an application. The memory image could contain sensitive data and is generally useful
only for developers trying to debug problems. |
OVAL test results detailskernel.core_pattern static configuration
oval:ssg-test_static_sysctl_kernel_core_pattern:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/sysctl.conf | kernel.core_pattern= |
kernel.core_pattern static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_etc_sysctld_kernel_core_pattern:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/sysctl.d/99-sysctl.conf | kernel.core_pattern= |
kernel.core_pattern static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_run_sysctld_kernel_core_pattern:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_run_sysctld_kernel_core_pattern:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /run/sysctl.d | ^.*\.conf$ | ^[\s]*kernel.core_pattern[\s]*=[\s]*|/bin/false[\s]*$ | 1 |
kernel.core_pattern static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_usr_lib_sysctld_kernel_core_pattern:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /usr/lib/sysctl.d/50-coredump.conf |
kernel.core_pattern= |
kernel runtime parameter kernel.core_pattern set to |/bin/false
oval:ssg-test_sysctl_runtime_kernel_core_pattern:tst:1
true
Following items have been found on the system:
| Name | Value |
|---|
| kernel.core_pattern | |/bin/false |
Restrict usage of ptrace to descendant processesxccdf_org.ssgproject.content_rule_sysctl_kernel_yama_ptrace_scope mediumCCE-80953-3
Restrict usage of ptrace to descendant processes
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_kernel_yama_ptrace_scope |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sysctl_kernel_yama_ptrace_scope:def:1 |
| Time | 2021-08-12T02:38:23+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-80953-3 References:
BP28(R25), SRG-OS-000132-GPOS-00067, RHEL-08-040282, SV-230546r599732_rule |
| Description | To set the runtime status of the kernel.yama.ptrace_scope kernel parameter, run the following command: $ sudo sysctl -w kernel.yama.ptrace_scope=1
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: kernel.yama.ptrace_scope = 1 |
| Rationale | Unrestricted usage of ptrace allows compromised binaries to run ptrace
on another processes of the user. Like this, the attacker can steal
sensitive information from the target processes (e.g. SSH sessions, web browser, ...)
without any additional assistance from the user (i.e. without resorting to phishing).
|
OVAL test results detailskernel.yama.ptrace_scope static configuration
oval:ssg-test_static_sysctl_kernel_yama_ptrace_scope:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/sysctl.conf | kernel.yama.ptrace_scope=1 |
kernel.yama.ptrace_scope static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_etc_sysctld_kernel_yama_ptrace_scope:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/sysctl.d/99-sysctl.conf | kernel.yama.ptrace_scope=1 |
kernel.yama.ptrace_scope static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_run_sysctld_kernel_yama_ptrace_scope:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_run_sysctld_kernel_yama_ptrace_scope:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /run/sysctl.d | ^.*\.conf$ | ^[\s]*kernel.yama.ptrace_scope[\s]*=[\s]*1[\s]*$ | 1 |
kernel.yama.ptrace_scope static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_usr_lib_sysctld_kernel_yama_ptrace_scope:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_usr_lib_sysctld_kernel_yama_ptrace_scope:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /usr/lib/sysctl.d | ^.*\.conf$ | ^[\s]*kernel.yama.ptrace_scope[\s]*=[\s]*1[\s]*$ | 1 |
kernel runtime parameter kernel.yama.ptrace_scope set to 1
oval:ssg-test_sysctl_runtime_kernel_yama_ptrace_scope:tst:1
true
Following items have been found on the system:
| Name | Value |
|---|
| kernel.yama.ptrace_scope | 1 |
Disable the use of user namespacesxccdf_org.ssgproject.content_rule_sysctl_user_max_user_namespaces lowCCE-82211-4
Disable the use of user namespaces
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_user_max_user_namespaces |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sysctl_user_max_user_namespaces:def:1 |
| Time | 2021-08-12T02:38:23+00:00 |
| Severity | low |
| Identifiers and References | Identifiers:
CCE-82211-4 References:
SC-39, CM-6(a), FMT_SMF_EXT.1, SRG-OS-000480-GPOS-00227, RHEL-08-040284, SV-230548r599732_rule |
| Description | To set the runtime status of the user.max_user_namespaces kernel parameter,
run the following command:
$ sudo sysctl -w user.max_user_namespaces=0
To make sure that the setting is persistent,
add the following line to a file in the directory /etc/sysctl.d:
user.max_user_namespaces = 0
When containers are deployed on the machine, the value should be set
to large non-zero value. |
| Rationale | User namespaces are used primarily for Linux containers. The value 0
disallows the use of user namespaces. |
| Warnings | warning
This configuration baseline was created to deploy the base operating system for general purpose
workloads. When the operating system is configured for certain purposes, such as to host Linux Containers,
it is expected that user.max_user_namespaces will be enabled. |
OVAL test results detailsuser.max_user_namespaces static configuration
oval:ssg-test_static_sysctl_user_max_user_namespaces:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/sysctl.conf | user.max_user_namespaces=0 |
user.max_user_namespaces static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_etc_sysctld_user_max_user_namespaces:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/sysctl.d/99-sysctl.conf | user.max_user_namespaces=0 |
user.max_user_namespaces static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_run_sysctld_user_max_user_namespaces:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_run_sysctld_user_max_user_namespaces:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /run/sysctl.d | ^.*\.conf$ | ^[\s]*user.max_user_namespaces[\s]*=[\s]*0[\s]*$ | 1 |
user.max_user_namespaces static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_usr_lib_sysctld_user_max_user_namespaces:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_usr_lib_sysctld_user_max_user_namespaces:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /usr/lib/sysctl.d | ^.*\.conf$ | ^[\s]*user.max_user_namespaces[\s]*=[\s]*0[\s]*$ | 1 |
kernel runtime parameter user.max_user_namespaces set to 0
oval:ssg-test_sysctl_runtime_user_max_user_namespaces:tst:1
true
Following items have been found on the system:
| Name | Value |
|---|
| user.max_user_namespaces | 0 |
Disable Access to Network bpf() Syscall From Unprivileged Processesxccdf_org.ssgproject.content_rule_sysctl_kernel_unprivileged_bpf_disabled mediumCCE-82974-7
Disable Access to Network bpf() Syscall From Unprivileged Processes
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_kernel_unprivileged_bpf_disabled |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sysctl_kernel_unprivileged_bpf_disabled:def:1 |
| Time | 2021-08-12T02:38:23+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-82974-7 References:
FMT_SMF_EXT.1, SRG-OS-000132-GPOS-00067, RHEL-08-040281, SV-230545r599732_rule |
| Description | To set the runtime status of the kernel.unprivileged_bpf_disabled kernel parameter, run the following command: $ sudo sysctl -w kernel.unprivileged_bpf_disabled=1
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: kernel.unprivileged_bpf_disabled = 1 |
| Rationale | Loading and accessing the packet filters programs and maps using the bpf()
syscall has the potential of revealing sensitive information about the kernel state. |
OVAL test results detailskernel.unprivileged_bpf_disabled static configuration
oval:ssg-test_static_sysctl_kernel_unprivileged_bpf_disabled:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/sysctl.conf | kernel.unprivileged_bpf_disabled=1 |
kernel.unprivileged_bpf_disabled static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_etc_sysctld_kernel_unprivileged_bpf_disabled:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/sysctl.d/99-sysctl.conf | kernel.unprivileged_bpf_disabled=1 |
kernel.unprivileged_bpf_disabled static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_run_sysctld_kernel_unprivileged_bpf_disabled:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_run_sysctld_kernel_unprivileged_bpf_disabled:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /run/sysctl.d | ^.*\.conf$ | ^[\s]*kernel.unprivileged_bpf_disabled[\s]*=[\s]*1[\s]*$ | 1 |
kernel.unprivileged_bpf_disabled static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_usr_lib_sysctld_kernel_unprivileged_bpf_disabled:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_usr_lib_sysctld_kernel_unprivileged_bpf_disabled:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /usr/lib/sysctl.d | ^.*\.conf$ | ^[\s]*kernel.unprivileged_bpf_disabled[\s]*=[\s]*1[\s]*$ | 1 |
kernel runtime parameter kernel.unprivileged_bpf_disabled set to 1
oval:ssg-test_sysctl_runtime_kernel_unprivileged_bpf_disabled:tst:1
true
Following items have been found on the system:
| Name | Value |
|---|
| kernel.unprivileged_bpf_disabled | 1 |
Restrict Access to Kernel Message Bufferxccdf_org.ssgproject.content_rule_sysctl_kernel_dmesg_restrict mediumCCE-80913-7
Restrict Access to Kernel Message Buffer
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_kernel_dmesg_restrict |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sysctl_kernel_dmesg_restrict:def:1 |
| Time | 2021-08-12T02:38:23+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-80913-7 References:
BP28(R23), 3.1.5, CCI-001314, 164.308(a)(1)(ii)(D), 164.308(a)(3), 164.308(a)(4), 164.310(b), 164.310(c), 164.312(a), 164.312(e), SI-11(a), SI-11(b), SRG-OS-000132-GPOS-00067, RHEL-08-010375, SV-230269r599820_rule |
| Description | To set the runtime status of the kernel.dmesg_restrict kernel parameter, run the following command: $ sudo sysctl -w kernel.dmesg_restrict=1
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: kernel.dmesg_restrict = 1 |
| Rationale | Unprivileged access to the kernel syslog can expose sensitive kernel
address information. |
OVAL test results detailskernel.dmesg_restrict static configuration
oval:ssg-test_static_sysctl_kernel_dmesg_restrict:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/sysctl.conf | kernel.dmesg_restrict=1 |
kernel.dmesg_restrict static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_etc_sysctld_kernel_dmesg_restrict:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/sysctl.d/99-sysctl.conf | kernel.dmesg_restrict=1 |
kernel.dmesg_restrict static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_run_sysctld_kernel_dmesg_restrict:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_run_sysctld_kernel_dmesg_restrict:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /run/sysctl.d | ^.*\.conf$ | ^[\s]*kernel.dmesg_restrict[\s]*=[\s]*1[\s]*$ | 1 |
kernel.dmesg_restrict static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_usr_lib_sysctld_kernel_dmesg_restrict:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_usr_lib_sysctld_kernel_dmesg_restrict:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /usr/lib/sysctl.d | ^.*\.conf$ | ^[\s]*kernel.dmesg_restrict[\s]*=[\s]*1[\s]*$ | 1 |
kernel runtime parameter kernel.dmesg_restrict set to 1
oval:ssg-test_sysctl_runtime_kernel_dmesg_restrict:tst:1
true
Following items have been found on the system:
| Name | Value |
|---|
| kernel.dmesg_restrict | 1 |
Disable Kernel Image Loadingxccdf_org.ssgproject.content_rule_sysctl_kernel_kexec_load_disabled mediumCCE-80952-5
Disable Kernel Image Loading
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_kernel_kexec_load_disabled |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sysctl_kernel_kexec_load_disabled:def:1 |
| Time | 2021-08-12T02:38:23+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-80952-5 References:
SRG-OS-000480-GPOS-00227, RHEL-08-010372, SV-230266r599732_rule |
| Description | To set the runtime status of the kernel.kexec_load_disabled kernel parameter, run the following command: $ sudo sysctl -w kernel.kexec_load_disabled=1
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: kernel.kexec_load_disabled = 1 |
| Rationale | Disabling kexec_load allows greater control of the kernel memory.
It makes it impossible to load another kernel image after it has been disabled.
|
OVAL test results detailskernel.kexec_load_disabled static configuration
oval:ssg-test_static_sysctl_kernel_kexec_load_disabled:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/sysctl.conf | kernel.kexec_load_disabled=1 |
kernel.kexec_load_disabled static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_etc_sysctld_kernel_kexec_load_disabled:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/sysctl.d/99-sysctl.conf | kernel.kexec_load_disabled=1 |
kernel.kexec_load_disabled static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_run_sysctld_kernel_kexec_load_disabled:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_run_sysctld_kernel_kexec_load_disabled:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /run/sysctl.d | ^.*\.conf$ | ^[\s]*kernel.kexec_load_disabled[\s]*=[\s]*1[\s]*$ | 1 |
kernel.kexec_load_disabled static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_usr_lib_sysctld_kernel_kexec_load_disabled:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_usr_lib_sysctld_kernel_kexec_load_disabled:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /usr/lib/sysctl.d | ^.*\.conf$ | ^[\s]*kernel.kexec_load_disabled[\s]*=[\s]*1[\s]*$ | 1 |
kernel runtime parameter kernel.kexec_load_disabled set to 1
oval:ssg-test_sysctl_runtime_kernel_kexec_load_disabled:tst:1
true
Following items have been found on the system:
| Name | Value |
|---|
| kernel.kexec_load_disabled | 1 |
Add nodev Option to /var/logxccdf_org.ssgproject.content_rule_mount_option_var_log_nodev mediumCCE-82077-9
Add nodev Option to /var/log
| Rule ID | xccdf_org.ssgproject.content_rule_mount_option_var_log_nodev |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-mount_option_var_log_nodev:def:1 |
| Time | 2021-08-12T02:38:23+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-82077-9 References:
CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000368-GPOS-00154, RHEL-08-040126, SV-230514r599801_rule |
| Description | The nodev mount option can be used to prevent device files from
being created in /var/log.
Legitimate character and block devices should exist only in
the /dev directory on the root partition or within chroot
jails built for system services.
Add the nodev option to the fourth column of
/etc/fstab for the line which controls mounting of
/var/log. |
| Rationale | The only legitimate location for device files is the /dev directory
located on the root partition. The only exception to this is chroot jails. |
OVAL test results detailsnodev on /var/log
oval:ssg-test_var_log_partition_nodev:tst:1
true
Following items have been found on the system:
| Mount point | Device | Uuid | Fs type | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Total space | Space used | Space left |
|---|
| /var/log | /dev/mapper/vg0-lv_var_log | 7769ec2e-40c5-4967-bffd-cc04c3af94be | xfs | rw | seclabel | nosuid | nodev | noexec | noatime | attr2 | inode64 | logbufs=8 | logbsize=32k | noquota | 2094592 | 25083 | 2069509 |
Add nosuid Option to /var/log/auditxccdf_org.ssgproject.content_rule_mount_option_var_log_audit_nosuid mediumCCE-82921-8
Add nosuid Option to /var/log/audit
| Rule ID | xccdf_org.ssgproject.content_rule_mount_option_var_log_audit_nosuid |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-mount_option_var_log_audit_nosuid:def:1 |
| Time | 2021-08-12T02:38:23+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-82921-8 References:
CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000368-GPOS-00154, RHEL-08-040130, SV-230518r599805_rule |
| Description | The nosuid mount option can be used to prevent
execution of setuid programs in /var/log/audit. The SUID and SGID permissions
should not be required in directories containing audit log files.
Add the nosuid option to the fourth column of
/etc/fstab for the line which controls mounting of
/var/log/audit. |
| Rationale | The presence of SUID and SGID executables should be tightly controlled. Users
should not be able to execute SUID or SGID binaries from partitions
designated for audit log files. |
OVAL test results detailsnosuid on /var/log/audit
oval:ssg-test_var_log_audit_partition_nosuid:tst:1
true
Following items have been found on the system:
| Mount point | Device | Uuid | Fs type | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Total space | Space used | Space left |
|---|
| /var/log/audit | /dev/mapper/vg0-lv_var_audit | e8ba62ce-fa8b-4c33-9be5-32c10a024675 | xfs | rw | seclabel | nosuid | nodev | noexec | noatime | attr2 | inode64 | logbufs=8 | logbsize=32k | noquota | 2094592 | 100566 | 1994026 |
Add nodev Option to /var/tmpxccdf_org.ssgproject.content_rule_mount_option_var_tmp_nodev mediumCCE-82068-8
Add nodev Option to /var/tmp
| Rule ID | xccdf_org.ssgproject.content_rule_mount_option_var_tmp_nodev |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-mount_option_var_tmp_nodev:def:1 |
| Time | 2021-08-12T02:38:23+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-82068-8 References:
BP28(R12), 1.1.8, SRG-OS-000368-GPOS-00154, RHEL-08-040132, SV-230520r599807_rule |
| Description | The nodev mount option can be used to prevent device files from
being created in /var/tmp. Legitimate character and block devices
should not exist within temporary directories like /var/tmp.
Add the nodev option to the fourth column of
/etc/fstab for the line which controls mounting of
/var/tmp. |
| Rationale | The only legitimate location for device files is the /dev directory
located on the root partition. The only exception to this is chroot jails. |
OVAL test results detailsnodev on /var/tmp
oval:ssg-test_var_tmp_partition_nodev:tst:1
true
Following items have been found on the system:
| Mount point | Device | Uuid | Fs type | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Total space | Space used | Space left |
|---|
| /var/tmp | /dev/mapper/vg0-lv_var_tmp | d807f45e-e924-4f4b-a9f6-44e3357c1160 | xfs | rw | seclabel | nosuid | nodev | noexec | noatime | attr2 | inode64 | logbufs=8 | logbsize=32k | noquota | 1046016 | 15586 | 1030430 |
Add nosuid Option to /tmpxccdf_org.ssgproject.content_rule_mount_option_tmp_nosuid mediumCCE-82140-5
Add nosuid Option to /tmp
| Rule ID | xccdf_org.ssgproject.content_rule_mount_option_tmp_nosuid |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-mount_option_tmp_nosuid:def:1 |
| Time | 2021-08-12T02:38:23+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-82140-5 References:
BP28(R12), 1.1.4, 11, 13, 14, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS05.06, DSS06.06, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.11.2.9, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.8.2.1, A.8.2.2, A.8.2.3, A.8.3.1, A.8.3.3, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000368-GPOS-00154, RHEL-08-040124, SV-230512r599732_rule |
| Description | The nosuid mount option can be used to prevent
execution of setuid programs in /tmp. The SUID and SGID permissions
should not be required in these world-writable directories.
Add the nosuid option to the fourth column of
/etc/fstab for the line which controls mounting of
/tmp. |
| Rationale | The presence of SUID and SGID executables should be tightly controlled. Users
should not be able to execute SUID or SGID binaries from temporary storage partitions. |
OVAL test results detailsnosuid on /tmp
oval:ssg-test_tmp_partition_nosuid:tst:1
true
Following items have been found on the system:
| Mount point | Device | Uuid | Fs type | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Total space | Space used | Space left |
|---|
| /tmp | /dev/mapper/vg0-lv_tmp | ea351f84-45dc-4eb1-bc4f-9c11f6799657 | xfs | rw | seclabel | nosuid | nodev | noexec | noatime | attr2 | inode64 | logbufs=8 | logbsize=32k | noquota | 783872 | 13750 | 770122 |
Add noexec Option to /var/tmpxccdf_org.ssgproject.content_rule_mount_option_var_tmp_noexec mediumCCE-82151-2
Add noexec Option to /var/tmp
| Rule ID | xccdf_org.ssgproject.content_rule_mount_option_var_tmp_noexec |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-mount_option_var_tmp_noexec:def:1 |
| Time | 2021-08-12T02:38:23+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-82151-2 References:
BP28(R12), 1.1.10, SRG-OS-000368-GPOS-00154, RHEL-08-040134, SV-230522r599809_rule |
| Description | The noexec mount option can be used to prevent binaries
from being executed out of /var/tmp.
Add the noexec option to the fourth column of
/etc/fstab for the line which controls mounting of
/var/tmp. |
| Rationale | Allowing users to execute binaries from world-writable directories
such as /var/tmp should never be necessary in normal operation and
can expose the system to potential compromise. |
OVAL test results detailsnoexec on /var/tmp
oval:ssg-test_var_tmp_partition_noexec:tst:1
true
Following items have been found on the system:
| Mount point | Device | Uuid | Fs type | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Total space | Space used | Space left |
|---|
| /var/tmp | /dev/mapper/vg0-lv_var_tmp | d807f45e-e924-4f4b-a9f6-44e3357c1160 | xfs | rw | seclabel | nosuid | nodev | noexec | noatime | attr2 | inode64 | logbufs=8 | logbsize=32k | noquota | 1046016 | 15586 | 1030430 |
Add noexec Option to /var/logxccdf_org.ssgproject.content_rule_mount_option_var_log_noexec mediumCCE-82008-4
Add noexec Option to /var/log
| Rule ID | xccdf_org.ssgproject.content_rule_mount_option_var_log_noexec |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-mount_option_var_log_noexec:def:1 |
| Time | 2021-08-12T02:38:23+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-82008-4 References:
BP28(R12), CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000368-GPOS-00154, RHEL-08-040128, SV-230516r599803_rule |
| Description | The noexec mount option can be used to prevent binaries
from being executed out of /var/log.
Add the noexec option to the fourth column of
/etc/fstab for the line which controls mounting of
/var/log. |
| Rationale | Allowing users to execute binaries from directories containing log files
such as /var/log should never be necessary in normal operation and
can expose the system to potential compromise. |
OVAL test results detailsnoexec on /var/log
oval:ssg-test_var_log_partition_noexec:tst:1
true
Following items have been found on the system:
| Mount point | Device | Uuid | Fs type | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Total space | Space used | Space left |
|---|
| /var/log | /dev/mapper/vg0-lv_var_log | 7769ec2e-40c5-4967-bffd-cc04c3af94be | xfs | rw | seclabel | nosuid | nodev | noexec | noatime | attr2 | inode64 | logbufs=8 | logbsize=32k | noquota | 2094592 | 25083 | 2069509 |
Add nodev Option to /dev/shmxccdf_org.ssgproject.content_rule_mount_option_dev_shm_nodev lowCCE-80837-8
Add nodev Option to /dev/shm
| Rule ID | xccdf_org.ssgproject.content_rule_mount_option_dev_shm_nodev |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-mount_option_dev_shm_nodev:def:1 |
| Time | 2021-08-12T02:38:23+00:00 |
| Severity | low |
| Identifiers and References | Identifiers:
CCE-80837-8 References:
1.1.5, 11, 13, 14, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS05.06, DSS06.06, CCI-001764, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.11.2.9, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.8.2.1, A.8.2.2, A.8.2.3, A.8.3.1, A.8.3.3, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000368-GPOS-00154, RHEL-08-040120, SV-230508r599797_rule |
| Description | The nodev mount option can be used to prevent creation of device
files in /dev/shm. Legitimate character and block devices should
not exist within temporary directories like /dev/shm.
Add the nodev option to the fourth column of
/etc/fstab for the line which controls mounting of
/dev/shm. |
| Rationale | The only legitimate location for device files is the /dev directory
located on the root partition. The only exception to this is chroot jails. |
OVAL test results detailsnodev on /dev/shm
oval:ssg-test_dev_shm_partition_nodev:tst:1
true
Following items have been found on the system:
| Mount point | Device | Uuid | Fs type | Mount options | Mount options | Mount options | Mount options | Total space | Space used | Space left |
|---|
| /dev/shm | tmpfs | | tmpfs | rw | seclabel | nosuid | nodev | 103217 | 1 | 103216 |
Add nosuid Option to /dev/shmxccdf_org.ssgproject.content_rule_mount_option_dev_shm_nosuid lowCCE-80839-4
Add nosuid Option to /dev/shm
| Rule ID | xccdf_org.ssgproject.content_rule_mount_option_dev_shm_nosuid |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-mount_option_dev_shm_nosuid:def:1 |
| Time | 2021-08-12T02:38:23+00:00 |
| Severity | low |
| Identifiers and References | Identifiers:
CCE-80839-4 References:
1.1.16, 11, 13, 14, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS05.06, DSS06.06, CCI-001764, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.11.2.9, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.8.2.1, A.8.2.2, A.8.2.3, A.8.3.1, A.8.3.3, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000368-GPOS-00154, RHEL-08-040121, SV-230509r599732_rule |
| Description | The nosuid mount option can be used to prevent execution
of setuid programs in /dev/shm. The SUID and SGID permissions should not
be required in these world-writable directories.
Add the nosuid option to the fourth column of
/etc/fstab for the line which controls mounting of
/dev/shm. |
| Rationale | The presence of SUID and SGID executables should be tightly controlled. Users
should not be able to execute SUID or SGID binaries from temporary storage partitions. |
OVAL test results detailsnosuid on /dev/shm
oval:ssg-test_dev_shm_partition_nosuid:tst:1
true
Following items have been found on the system:
| Mount point | Device | Uuid | Fs type | Mount options | Mount options | Mount options | Mount options | Total space | Space used | Space left |
|---|
| /dev/shm | tmpfs | | tmpfs | rw | seclabel | nosuid | nodev | 103217 | 1 | 103216 |
Add nosuid Option to /bootxccdf_org.ssgproject.content_rule_mount_option_boot_nosuid mediumCCE-81033-3
Add nosuid Option to /boot
| Rule ID | xccdf_org.ssgproject.content_rule_mount_option_boot_nosuid |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-mount_option_boot_nosuid:def:1 |
| Time | 2021-08-12T02:38:23+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-81033-3 References:
BP28(R12), CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000368-GPOS-00154, RHEL-08-010571, SV-230300r599732_rule |
| Description | The nosuid mount option can be used to prevent
execution of setuid programs in /boot. The SUID and SGID permissions
should not be required on the boot partition.
Add the nosuid option to the fourth column of
/etc/fstab for the line which controls mounting of
/boot. |
| Rationale | The presence of SUID and SGID executables should be tightly controlled. Users
should not be able to execute SUID or SGID binaries from boot partitions. |
|
|
|
OVAL test results detailsnosuid on /boot
oval:ssg-test_boot_partition_nosuid:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_boot_partition_nosuid:obj:1 of type
partition_object
Add noexec Option to /tmpxccdf_org.ssgproject.content_rule_mount_option_tmp_noexec mediumCCE-82139-7
Add noexec Option to /tmp
| Rule ID | xccdf_org.ssgproject.content_rule_mount_option_tmp_noexec |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-mount_option_tmp_noexec:def:1 |
| Time | 2021-08-12T02:38:23+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-82139-7 References:
BP28(R12), 1.1.5, 11, 13, 14, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS05.06, DSS06.06, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.11.2.9, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.8.2.1, A.8.2.2, A.8.2.3, A.8.3.1, A.8.3.3, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000368-GPOS-00154, RHEL-08-040125, SV-230513r599800_rule |
| Description | The noexec mount option can be used to prevent binaries
from being executed out of /tmp.
Add the noexec option to the fourth column of
/etc/fstab for the line which controls mounting of
/tmp. |
| Rationale | Allowing users to execute binaries from world-writable directories
such as /tmp should never be necessary in normal operation and
can expose the system to potential compromise. |
OVAL test results detailsnoexec on /tmp
oval:ssg-test_tmp_partition_noexec:tst:1
true
Following items have been found on the system:
| Mount point | Device | Uuid | Fs type | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Total space | Space used | Space left |
|---|
| /tmp | /dev/mapper/vg0-lv_tmp | ea351f84-45dc-4eb1-bc4f-9c11f6799657 | xfs | rw | seclabel | nosuid | nodev | noexec | noatime | attr2 | inode64 | logbufs=8 | logbsize=32k | noquota | 783872 | 13750 | 770122 |
Add nosuid Option to /var/tmpxccdf_org.ssgproject.content_rule_mount_option_var_tmp_nosuid mediumCCE-82154-6
Add nosuid Option to /var/tmp
| Rule ID | xccdf_org.ssgproject.content_rule_mount_option_var_tmp_nosuid |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-mount_option_var_tmp_nosuid:def:1 |
| Time | 2021-08-12T02:38:23+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-82154-6 References:
BP28(R12), 1.1.9, SRG-OS-000368-GPOS-00154, RHEL-08-040133, SV-230521r599808_rule |
| Description | The nosuid mount option can be used to prevent
execution of setuid programs in /var/tmp. The SUID and SGID permissions
should not be required in these world-writable directories.
Add the nosuid option to the fourth column of
/etc/fstab for the line which controls mounting of
/var/tmp. |
| Rationale | The presence of SUID and SGID executables should be tightly controlled. Users
should not be able to execute SUID or SGID binaries from temporary storage partitions. |
OVAL test results detailsnosuid on /var/tmp
oval:ssg-test_var_tmp_partition_nosuid:tst:1
true
Following items have been found on the system:
| Mount point | Device | Uuid | Fs type | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Total space | Space used | Space left |
|---|
| /var/tmp | /dev/mapper/vg0-lv_var_tmp | d807f45e-e924-4f4b-a9f6-44e3357c1160 | xfs | rw | seclabel | nosuid | nodev | noexec | noatime | attr2 | inode64 | logbufs=8 | logbsize=32k | noquota | 1046016 | 15586 | 1030430 |
Add noexec Option to /dev/shmxccdf_org.ssgproject.content_rule_mount_option_dev_shm_noexec lowCCE-80838-6
Add noexec Option to /dev/shm
| Rule ID | xccdf_org.ssgproject.content_rule_mount_option_dev_shm_noexec |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-mount_option_dev_shm_noexec:def:1 |
| Time | 2021-08-12T02:38:23+00:00 |
| Severity | low |
| Identifiers and References | Identifiers:
CCE-80838-6 References:
1.1.17, 11, 13, 14, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS05.06, DSS06.06, CCI-001764, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.11.2.9, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.8.2.1, A.8.2.2, A.8.2.3, A.8.3.1, A.8.3.3, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000368-GPOS-00154, RHEL-08-040122, SV-230510r599798_rule |
| Description | The noexec mount option can be used to prevent binaries
from being executed out of /dev/shm.
It can be dangerous to allow the execution of binaries
from world-writable temporary storage directories such as /dev/shm.
Add the noexec option to the fourth column of
/etc/fstab for the line which controls mounting of
/dev/shm. |
| Rationale | Allowing users to execute binaries from world-writable directories
such as /dev/shm can expose the system to potential compromise. |
|
|
OVAL test results detailsnoexec on /dev/shm
oval:ssg-test_dev_shm_partition_noexec:tst:1
false
Following items have been found on the system:
| Mount point | Device | Uuid | Fs type | Mount options | Mount options | Mount options | Mount options | Total space | Space used | Space left |
|---|
| /dev/shm | tmpfs | | tmpfs | rw | seclabel | nosuid | nodev | 103217 | 1 | 103216 |
Add nodev Option to Non-Root Local Partitionsxccdf_org.ssgproject.content_rule_mount_option_nodev_nonroot_local_partitions mediumCCE-82069-6
Add nodev Option to Non-Root Local Partitions
| Rule ID | xccdf_org.ssgproject.content_rule_mount_option_nodev_nonroot_local_partitions |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-mount_option_nodev_nonroot_local_partitions:def:1 |
| Time | 2021-08-12T02:38:23+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-82069-6 References:
BP28(R12), 1.1.11, 11, 14, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-3, SRG-OS-000368-GPOS-00154, RHEL-08-010580, SV-230301r599732_rule |
| Description | The nodev mount option prevents files from being interpreted as
character or block devices. Legitimate character and block devices should
exist only in the /dev directory on the root partition or within
chroot jails built for system services.
Add the nodev option to the fourth column of
/etc/fstab for the line which controls mounting of
any non-root local partitions. |
| Rationale | The nodev mount option prevents files from being
interpreted as character or block devices. The only legitimate location
for device files is the /dev directory located on the root partition.
The only exception to this is chroot jails, for which it is not advised
to set nodev on these filesystems. |
OVAL test results detailsnodev on local filesystems
oval:ssg-test_nodev_nonroot_local_partitions:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_non_root_partitions:obj:1 of type
partition_object
| Mount point | Filter |
|---|
| ^/\w.*$ | oval:ssg-state_local_nodev:ste:1 |
Add nodev Option to /var/log/auditxccdf_org.ssgproject.content_rule_mount_option_var_log_audit_nodev mediumCCE-82080-3
Add nodev Option to /var/log/audit
| Rule ID | xccdf_org.ssgproject.content_rule_mount_option_var_log_audit_nodev |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-mount_option_var_log_audit_nodev:def:1 |
| Time | 2021-08-12T02:38:23+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-82080-3 References:
CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000368-GPOS-00154, RHEL-08-040129, SV-230517r599804_rule |
| Description | The nodev mount option can be used to prevent device files from
being created in /var/log/audit.
Legitimate character and block devices should exist only in
the /dev directory on the root partition or within chroot
jails built for system services.
Add the nodev option to the fourth column of
/etc/fstab for the line which controls mounting of
/var/log/audit. |
| Rationale | The only legitimate location for device files is the /dev directory
located on the root partition. The only exception to this is chroot jails. |
OVAL test results detailsnodev on /var/log/audit
oval:ssg-test_var_log_audit_partition_nodev:tst:1
true
Following items have been found on the system:
| Mount point | Device | Uuid | Fs type | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Total space | Space used | Space left |
|---|
| /var/log/audit | /dev/mapper/vg0-lv_var_audit | e8ba62ce-fa8b-4c33-9be5-32c10a024675 | xfs | rw | seclabel | nosuid | nodev | noexec | noatime | attr2 | inode64 | logbufs=8 | logbsize=32k | noquota | 2094592 | 100598 | 1993994 |
Add nodev Option to Removable Media Partitionsxccdf_org.ssgproject.content_rule_mount_option_nodev_removable_partitions lowCCE-82742-8
Add nodev Option to Removable Media Partitions
| Rule ID | xccdf_org.ssgproject.content_rule_mount_option_nodev_removable_partitions |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-mount_option_nodev_removable_partitions:def:1 |
| Time | 2021-08-12T02:38:23+00:00 |
| Severity | low |
| Identifiers and References | Identifiers:
CCE-82742-8 References:
1.1.18, 11, 12, 13, 14, 16, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.04, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.06, DSS05.07, DSS06.03, DSS06.06, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.11.2.6, A.11.2.9, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.2.2, A.14.2.3, A.14.2.4, A.6.2.1, A.6.2.2, A.7.1.1, A.8.2.1, A.8.2.2, A.8.2.3, A.8.3.1, A.8.3.3, A.9.1.2, A.9.2.1, CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.AC-3, PR.AC-6, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000480-GPOS-00227, RHEL-08-010600, SV-230303r599732_rule |
| Description | The nodev mount option prevents files from being
interpreted as character or block devices.
Legitimate character and block devices should exist only in
the /dev directory on the root partition or within chroot
jails built for system services.
Add the nodev option to the fourth column of
/etc/fstab for the line which controls mounting of
any removable media partitions. |
| Rationale | The only legitimate location for device files is the /dev directory
located on the root partition. An exception to this is chroot jails, and it is
not advised to set nodev on partitions which contain their root
filesystems. |
OVAL test results detailsCheck if expected removable partitions truly exist on the system
oval:ssg-test_removable_partition_doesnt_exist:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_removable_partition_doesnt_exist:obj:1 of type
file_object
Check if removable partition variable value represents CD/DVD drive
oval:ssg-test_var_removable_partition_is_cd_dvd_drive:tst:1
true
Following items have been found on the system:
| Var ref | Value |
|---|
| oval:ssg-var_removable_partition:var:1 | /dev/cdrom |
'nodev' mount option used for at least one CD / DVD drive alternative names in /etc/fstab
oval:ssg-test_nodev_etc_fstab_cd_dvd_drive:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_nodev_etc_fstab_cd_dvd_drive:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^[\s]*/dev/cdrom[\s]+[/\w]+[\s]+[\w]+[\s]+([^\s]+)(?:[\s]+[\d]+){2}$ | | ^[\s]*/dev/dvd[\s]+[/\w]+[\s]+[\w]+[\s]+([^\s]+)(?:[\s]+[\d]+){2}$ | | ^[\s]*/dev/scd0[\s]+[/\w]+[\s]+[\w]+[\s]+([^\s]+)(?:[\s]+[\d]+){2}$ | | ^[\s]*/dev/sr0[\s]+[/\w]+[\s]+[\w]+[\s]+([^\s]+)(?:[\s]+[\d]+){2}$ | | /dev/cdrom | | /dev/dvd | | /dev/scd0 | | /dev/sr0 |
| /etc/fstab | 1 |
'CD/DVD drive is not listed in /etc/fstab
oval:ssg-test_no_cd_dvd_drive_in_etc_fstab:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_no_cd_dvd_drive_in_etc_fstab:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /dev/cdrom | | /dev/dvd | | /dev/scd0 | | /dev/sr0 |
| /etc/fstab | 1 |
Check if removable partition is configured with 'nodev' mount option in /etc/fstab
oval:ssg-test_nodev_etc_fstab_not_cd_dvd_drive:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_nodev_etc_fstab_not_cd_dvd_drive:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^[\s]*/dev/cdrom[\s]+[/\w]+[\s]+[\w]+[\s]+([^\s]+)(?:[\s]+[\d]+){2}$ | | /dev/cdrom |
| /etc/fstab | 1 |
Add noexec Option to Removable Media Partitionsxccdf_org.ssgproject.content_rule_mount_option_noexec_removable_partitions mediumCCE-82746-9
Add noexec Option to Removable Media Partitions
| Rule ID | xccdf_org.ssgproject.content_rule_mount_option_noexec_removable_partitions |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-mount_option_noexec_removable_partitions:def:1 |
| Time | 2021-08-12T02:38:23+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-82746-9 References:
1.1.20, 11, 12, 13, 14, 16, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.04, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.06, DSS05.07, DSS06.03, DSS06.06, CCI-000087, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.11.2.6, A.11.2.9, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.2.2, A.14.2.3, A.14.2.4, A.6.2.1, A.6.2.2, A.7.1.1, A.8.2.1, A.8.2.2, A.8.2.3, A.8.3.1, A.8.3.3, A.9.1.2, A.9.2.1, CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.AC-3, PR.AC-6, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000480-GPOS-00227, RHEL-08-010610, SV-230304r599732_rule |
| Description | The noexec mount option prevents the direct execution of binaries
on the mounted filesystem. Preventing the direct execution of binaries from
removable media (such as a USB key) provides a defense against malicious
software that may be present on such untrusted media.
Add the noexec option to the fourth column of
/etc/fstab for the line which controls mounting of
any removable media partitions. |
| Rationale | Allowing users to execute binaries from removable media such as USB keys exposes
the system to potential compromise. |
OVAL test results detailsCheck if expected removable partitions truly exist on the system
oval:ssg-test_removable_partition_doesnt_exist:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_removable_partition_doesnt_exist:obj:1 of type
file_object
Check if removable partition variable value represents CD/DVD drive
oval:ssg-test_var_removable_partition_is_cd_dvd_drive:tst:1
true
Following items have been found on the system:
| Var ref | Value |
|---|
| oval:ssg-var_removable_partition:var:1 | /dev/cdrom |
'noexec' mount option used for at least one CD / DVD drive alternative names in /etc/fstab
oval:ssg-test_noexec_etc_fstab_cd_dvd_drive:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_noexec_etc_fstab_cd_dvd_drive:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^[\s]*/dev/cdrom[\s]+[/\w]+[\s]+[\w]+[\s]+([^\s]+)(?:[\s]+[\d]+){2}$ | | ^[\s]*/dev/dvd[\s]+[/\w]+[\s]+[\w]+[\s]+([^\s]+)(?:[\s]+[\d]+){2}$ | | ^[\s]*/dev/scd0[\s]+[/\w]+[\s]+[\w]+[\s]+([^\s]+)(?:[\s]+[\d]+){2}$ | | ^[\s]*/dev/sr0[\s]+[/\w]+[\s]+[\w]+[\s]+([^\s]+)(?:[\s]+[\d]+){2}$ | | /dev/cdrom | | /dev/dvd | | /dev/scd0 | | /dev/sr0 |
| /etc/fstab | 1 |
'CD/DVD drive is not listed in /etc/fstab
oval:ssg-test_no_cd_dvd_drive_in_etc_fstab:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_no_cd_dvd_drive_in_etc_fstab:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /dev/cdrom | | /dev/dvd | | /dev/scd0 | | /dev/sr0 |
| /etc/fstab | 1 |
Check if removable partition is configured with 'noexec' mount option in /etc/fstab
oval:ssg-test_noexec_etc_fstab_not_cd_dvd_drive:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_noexec_etc_fstab_not_cd_dvd_drive:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^[\s]*/dev/cdrom[\s]+[/\w]+[\s]+[\w]+[\s]+([^\s]+)(?:[\s]+[\d]+){2}$ | | /dev/cdrom |
| /etc/fstab | 1 |
Add nosuid Option to Removable Media Partitionsxccdf_org.ssgproject.content_rule_mount_option_nosuid_removable_partitions mediumCCE-82744-4
Add nosuid Option to Removable Media Partitions
| Rule ID | xccdf_org.ssgproject.content_rule_mount_option_nosuid_removable_partitions |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-mount_option_nosuid_removable_partitions:def:1 |
| Time | 2021-08-12T02:38:23+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-82744-4 References:
1.1.19, 11, 12, 13, 14, 15, 16, 18, 3, 5, 8, 9, APO01.06, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.04, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.06, DSS05.07, DSS06.02, DSS06.03, DSS06.06, CCI-000366, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.11.2.6, A.11.2.9, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.6.2.1, A.6.2.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.1, A.8.2.2, A.8.2.3, A.8.3.1, A.8.3.3, A.9.1.1, A.9.1.2, A.9.2.1, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.AC-3, PR.AC-4, PR.AC-6, PR.DS-5, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000480-GPOS-00227, RHEL-08-010620, SV-230305r599732_rule |
| Description | The nosuid mount option prevents set-user-identifier (SUID)
and set-group-identifier (SGID) permissions from taking effect. These permissions
allow users to execute binaries with the same permissions as the owner and group
of the file respectively. Users should not be allowed to introduce SUID and SGID
files into the system via partitions mounted from removeable media.
Add the nosuid option to the fourth column of
/etc/fstab for the line which controls mounting of
any removable media partitions. |
| Rationale | The presence of SUID and SGID executables should be tightly controlled. Allowing
users to introduce SUID or SGID binaries from partitions mounted off of
removable media would allow them to introduce their own highly-privileged programs. |
OVAL test results detailsCheck if expected removable partitions truly exist on the system
oval:ssg-test_removable_partition_doesnt_exist:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_removable_partition_doesnt_exist:obj:1 of type
file_object
Check if removable partition variable value represents CD/DVD drive
oval:ssg-test_var_removable_partition_is_cd_dvd_drive:tst:1
true
Following items have been found on the system:
| Var ref | Value |
|---|
| oval:ssg-var_removable_partition:var:1 | /dev/cdrom |
'nosuid' mount option used for at least one CD / DVD drive alternative names in /etc/fstab
oval:ssg-test_nosuid_etc_fstab_cd_dvd_drive:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_nosuid_etc_fstab_cd_dvd_drive:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^[\s]*/dev/cdrom[\s]+[/\w]+[\s]+[\w]+[\s]+([^\s]+)(?:[\s]+[\d]+){2}$ | | ^[\s]*/dev/dvd[\s]+[/\w]+[\s]+[\w]+[\s]+([^\s]+)(?:[\s]+[\d]+){2}$ | | ^[\s]*/dev/scd0[\s]+[/\w]+[\s]+[\w]+[\s]+([^\s]+)(?:[\s]+[\d]+){2}$ | | ^[\s]*/dev/sr0[\s]+[/\w]+[\s]+[\w]+[\s]+([^\s]+)(?:[\s]+[\d]+){2}$ | | /dev/cdrom | | /dev/dvd | | /dev/scd0 | | /dev/sr0 |
| /etc/fstab | 1 |
'CD/DVD drive is not listed in /etc/fstab
oval:ssg-test_no_cd_dvd_drive_in_etc_fstab:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_no_cd_dvd_drive_in_etc_fstab:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /dev/cdrom | | /dev/dvd | | /dev/scd0 | | /dev/sr0 |
| /etc/fstab | 1 |
Check if removable partition is configured with 'nosuid' mount option in /etc/fstab
oval:ssg-test_nosuid_etc_fstab_not_cd_dvd_drive:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_nosuid_etc_fstab_not_cd_dvd_drive:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^[\s]*/dev/cdrom[\s]+[/\w]+[\s]+[\w]+[\s]+([^\s]+)(?:[\s]+[\d]+){2}$ | | /dev/cdrom |
| /etc/fstab | 1 |
Add nosuid Option to /homexccdf_org.ssgproject.content_rule_mount_option_home_nosuid mediumCCE-81050-7
Add nosuid Option to /home
| Rule ID | xccdf_org.ssgproject.content_rule_mount_option_home_nosuid |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-mount_option_home_nosuid:def:1 |
| Time | 2021-08-12T02:38:23+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-81050-7 References:
BP28(R12), 1.1.3, 11, 13, 14, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS05.06, DSS06.06, CCI-000366, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.11.2.9, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.8.2.1, A.8.2.2, A.8.2.3, A.8.3.1, A.8.3.3, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000368-GPOS-00154, SRG-OS-000480-GPOS-00227, RHEL-08-010570, SV-230299r599732_rule |
| Description | The nosuid mount option can be used to prevent
execution of setuid programs in /home. The SUID and SGID permissions
should not be required in these user data directories.
Add the nosuid option to the fourth column of
/etc/fstab for the line which controls mounting of
/home. |
| Rationale | The presence of SUID and SGID executables should be tightly controlled. Users
should not be able to execute SUID or SGID binaries from user home directory partitions. |
OVAL test results detailsnosuid on /home
oval:ssg-test_home_partition_nosuid:tst:1
true
Following items have been found on the system:
| Mount point | Device | Uuid | Fs type | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Total space | Space used | Space left |
|---|
| /home | /dev/mapper/vg0-lv_home | 809086ff-8cc9-40eb-8916-a1bf5c5727c8 | xfs | rw | seclabel | nosuid | nodev | noatime | attr2 | inode64 | logbufs=8 | logbsize=32k | noquota | 1046016 | 15571 | 1030445 |
Add noexec Option to /var/log/auditxccdf_org.ssgproject.content_rule_mount_option_var_log_audit_noexec mediumCCE-82975-4
Add noexec Option to /var/log/audit
| Rule ID | xccdf_org.ssgproject.content_rule_mount_option_var_log_audit_noexec |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-mount_option_var_log_audit_noexec:def:1 |
| Time | 2021-08-12T02:38:23+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-82975-4 References:
CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000368-GPOS-00154, RHEL-08-040131, SV-230519r599806_rule |
| Description | The noexec mount option can be used to prevent binaries
from being executed out of /var/log/audit.
Add the noexec option to the fourth column of
/etc/fstab for the line which controls mounting of
/var/log/audit. |
| Rationale | Allowing users to execute binaries from directories containing audit log files
such as /var/log/audit should never be necessary in normal operation and
can expose the system to potential compromise. |
OVAL test results detailsnoexec on /var/log/audit
oval:ssg-test_var_log_audit_partition_noexec:tst:1
true
Following items have been found on the system:
| Mount point | Device | Uuid | Fs type | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Total space | Space used | Space left |
|---|
| /var/log/audit | /dev/mapper/vg0-lv_var_audit | e8ba62ce-fa8b-4c33-9be5-32c10a024675 | xfs | rw | seclabel | nosuid | nodev | noexec | noatime | attr2 | inode64 | logbufs=8 | logbsize=32k | noquota | 2094592 | 100598 | 1993994 |
Add nosuid Option to /var/logxccdf_org.ssgproject.content_rule_mount_option_var_log_nosuid mediumCCE-82065-4
Add nosuid Option to /var/log
| Rule ID | xccdf_org.ssgproject.content_rule_mount_option_var_log_nosuid |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-mount_option_var_log_nosuid:def:1 |
| Time | 2021-08-12T02:38:23+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-82065-4 References:
BP28(R12), CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000368-GPOS-00154, RHEL-08-040127, SV-230515r599802_rule |
| Description | The nosuid mount option can be used to prevent
execution of setuid programs in /var/log. The SUID and SGID permissions
should not be required in directories containing log files.
Add the nosuid option to the fourth column of
/etc/fstab for the line which controls mounting of
/var/log. |
| Rationale | The presence of SUID and SGID executables should be tightly controlled. Users
should not be able to execute SUID or SGID binaries from partitions
designated for log files. |
OVAL test results detailsnosuid on /var/log
oval:ssg-test_var_log_partition_nosuid:tst:1
true
Following items have been found on the system:
| Mount point | Device | Uuid | Fs type | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Total space | Space used | Space left |
|---|
| /var/log | /dev/mapper/vg0-lv_var_log | 7769ec2e-40c5-4967-bffd-cc04c3af94be | xfs | rw | seclabel | nosuid | nodev | noexec | noatime | attr2 | inode64 | logbufs=8 | logbsize=32k | noquota | 2094592 | 25083 | 2069509 |
Add nodev Option to /tmpxccdf_org.ssgproject.content_rule_mount_option_tmp_nodev mediumCCE-82623-0
Add nodev Option to /tmp
| Rule ID | xccdf_org.ssgproject.content_rule_mount_option_tmp_nodev |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-mount_option_tmp_nodev:def:1 |
| Time | 2021-08-12T02:38:23+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-82623-0 References:
BP28(R12), 1.1.3, 11, 13, 14, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS05.06, DSS06.06, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.11.2.9, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.8.2.1, A.8.2.2, A.8.2.3, A.8.3.1, A.8.3.3, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000368-GPOS-00154, RHEL-08-040123, SV-230511r599799_rule |
| Description | The nodev mount option can be used to prevent device files from
being created in /tmp. Legitimate character and block devices
should not exist within temporary directories like /tmp.
Add the nodev option to the fourth column of
/etc/fstab for the line which controls mounting of
/tmp. |
| Rationale | The only legitimate location for device files is the /dev directory
located on the root partition. The only exception to this is chroot jails. |
OVAL test results detailsnodev on /tmp
oval:ssg-test_tmp_partition_nodev:tst:1
true
Following items have been found on the system:
| Mount point | Device | Uuid | Fs type | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Total space | Space used | Space left |
|---|
| /tmp | /dev/mapper/vg0-lv_tmp | ea351f84-45dc-4eb1-bc4f-9c11f6799657 | xfs | rw | seclabel | nosuid | nodev | noexec | noatime | attr2 | inode64 | logbufs=8 | logbsize=32k | noquota | 783872 | 13750 | 770122 |
Ensure Logs Sent To Remote Hostxccdf_org.ssgproject.content_rule_rsyslog_remote_loghost mediumCCE-80863-4
Ensure Logs Sent To Remote Host
| Rule ID | xccdf_org.ssgproject.content_rule_rsyslog_remote_loghost |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-rsyslog_remote_loghost:def:1 |
| Time | 2021-08-12T02:38:23+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-80863-4 References:
BP28(R7), NT28(R43), NT12(R5), 4.2.1.5, 1, 13, 14, 15, 16, 2, 3, 5, 6, APO11.04, APO13.01, BAI03.05, BAI04.04, DSS05.04, DSS05.07, MEA02.01, CCI-000366, CCI-001348, CCI-000136, CCI-001851, 164.308(a)(1)(ii)(D), 164.308(a)(5)(ii)(B), 164.308(a)(5)(ii)(C), 164.308(a)(6)(ii), 164.308(a)(8), 164.310(d)(2)(iii), 164.312(b), 164.314(a)(2)(i)(C), 164.314(a)(2)(iii), 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 7.1, SR 7.2, 0988, 1405, A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.17.2.1, CM-6(a), AU-4(1), AU-9(2), PR.DS-4, PR.PT-1, FAU_GEN.1.1.c, SRG-OS-000480-GPOS-00227, RHEL-08-030690, SV-230479r599732_rule, SRG-OS-000032-VMM-000130 |
| Description | To configure rsyslog to send logs to a remote log server,
open /etc/rsyslog.conf and read and understand the last section of the file,
which describes the multiple directives necessary to activate remote
logging.
Along with these other directives, the system can be configured
to forward its logs to a particular log server by
adding or correcting one of the following lines,
substituting logcollector appropriately.
The choice of protocol depends on the environment of the system;
although TCP and RELP provide more reliable message delivery,
they may not be supported in all environments.
To use UDP for log message delivery:
*.* @logcollector
To use TCP for log message delivery:
*.* @@logcollector
To use RELP for log message delivery:
*.* :omrelp:logcollector
There must be a resolvable DNS CNAME or Alias record set to " logcollector" for logs to be sent correctly to the centralized logging utility. |
| Rationale | A log server (loghost) receives syslog messages from one or more
systems. This data can be used as an additional log source in the event a
system is compromised and its local logs are suspect. Forwarding log messages
to a remote loghost also provides system administrators with a centralized
place to view the status of multiple hosts within the enterprise. |
|
|
OVAL test results detailsEnsures system configured to export logs to remote host
oval:ssg-test_remote_rsyslog_conf:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_remote_loghost_rsyslog_conf:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/rsyslog.conf | ^\*\.\*[\s]+(?:@|\:omrelp\:) | 1 |
Ensures system configured to export logs to remote host
oval:ssg-test_remote_rsyslog_d:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_remote_loghost_rsyslog_d:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /etc/rsyslog.d | .* | ^\*\.\*[\s]+(?:@|\:omrelp\:) | 1 |
Ensure cron Is Logging To Rsyslogxccdf_org.ssgproject.content_rule_rsyslog_cron_logging mediumCCE-80859-2
Ensure cron Is Logging To Rsyslog
| Rule ID | xccdf_org.ssgproject.content_rule_rsyslog_cron_logging |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-rsyslog_cron_logging:def:1 |
| Time | 2021-08-12T02:38:23+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-80859-2 References:
1, 14, 15, 16, 3, 5, 6, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, CCI-000366, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, 0988, 1405, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.15.2.1, A.15.2.2, CM-6(a), ID.SC-4, PR.PT-1, FAU_GEN.1.1.c, SRG-OS-000480-GPOS-00227, RHEL-08-030010, SV-230387r599732_rule |
| Description | Cron logging must be implemented to spot intrusions or trace
cron job status. If cron is not logging to rsyslog, it
can be implemented by adding the following to the RULES section of
/etc/rsyslog.conf:
cron.* /var/log/cron |
| Rationale | Cron logging can be used to trace the successful or unsuccessful execution
of cron jobs. It can also be used to spot intrusions into the use of the cron
facility by unauthorized and malicious users. |
OVAL test results detailscron is configured in /etc/rsyslog.conf
oval:ssg-test_cron_logging_rsyslog:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/rsyslog.conf | cron.* /var/log/cron |
cron is configured in /etc/rsyslog.d
oval:ssg-test_cron_logging_rsyslog_dir:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_cron_logging_rsyslog_dir:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /etc/rsyslog.d | ^.*$ | ^[\s]*cron\.\*[\s]+/var/log/cron$ | 1 |
Ensure rsyslog-gnutls is installedxccdf_org.ssgproject.content_rule_package_rsyslog-gnutls_installed mediumCCE-82859-0
Ensure rsyslog-gnutls is installed
| Rule ID | xccdf_org.ssgproject.content_rule_package_rsyslog-gnutls_installed |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-package_rsyslog-gnutls_installed:def:1 |
| Time | 2021-08-12T02:38:23+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-82859-0 References:
FTP_ITC_EXT.1.1, SRG-OS-000480-GPOS-00227, SRG-OS-000120-GPOS-00061, RHEL-08-030680, SV-230478r599732_rule |
| Description | TLS protocol support for rsyslog is installed.
The rsyslog-gnutls package can be installed with the following command:
$ sudo yum install rsyslog-gnutls |
| Rationale | The rsyslog-gnutls package provides Transport Layer Security (TLS) support
for the rsyslog daemon, which enables secure remote logging. |
OVAL test results detailspackage rsyslog-gnutls is installed
oval:ssg-test_package_rsyslog-gnutls_installed:tst:1
true
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| rsyslog-gnutls | x86_64 | (none) | 7.el8_4.2 | 8.1911.0 | 0:8.1911.0-7.el8_4.2 | 199e2f91fd431d51 | rsyslog-gnutls-0:8.1911.0-7.el8_4.2.x86_64 |
Ensure rsyslog is Installedxccdf_org.ssgproject.content_rule_package_rsyslog_installed mediumCCE-80847-7
Ensure rsyslog is Installed
| Rule ID | xccdf_org.ssgproject.content_rule_package_rsyslog_installed |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-package_rsyslog_installed:def:1 |
| Time | 2021-08-12T02:38:23+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-80847-7 References:
BP28(R5), NT28(R46), 4.2.1.1, 1, 14, 15, 16, 3, 5, 6, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01, CCI-001311, CCI-001312, 164.312(a)(2)(ii), 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, CM-6(a), PR.PT-1, SRG-OS-000479-GPOS-00224, SRG-OS-000051-GPOS-00024, RHEL-08-030670, SV-230477r599732_rule |
| Description | Rsyslog is installed by default. The rsyslog package can be installed with the following command: $ sudo yum install rsyslog |
| Rationale | The rsyslog package provides the rsyslog daemon, which provides
system logging services. |
OVAL test results detailspackage rsyslog is installed
oval:ssg-test_package_rsyslog_installed:tst:1
true
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| rsyslog | x86_64 | (none) | 7.el8_4.2 | 8.1911.0 | 0:8.1911.0-7.el8_4.2 | 199e2f91fd431d51 | rsyslog-0:8.1911.0-7.el8_4.2.x86_64 |
Enable rsyslog Servicexccdf_org.ssgproject.content_rule_service_rsyslog_enabled mediumCCE-80886-5
Enable rsyslog Service
| Rule ID | xccdf_org.ssgproject.content_rule_service_rsyslog_enabled |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-service_rsyslog_enabled:def:1 |
| Time | 2021-08-12T02:38:23+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-80886-5 References:
BP28(R5), NT28(R46), 4.2.1.2, 1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO13.01, BAI03.05, BAI04.04, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, CCI-001311, CCI-001312, CCI-001557, CCI-001851, 164.312(a)(2)(ii), 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, SR 7.1, SR 7.2, A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, A.17.2.1, CM-6(a), AU-4(1), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.DS-4, PR.PT-1, SRG-OS-000480-GPOS-00227, RHEL-08-010561, SV-230298r599732_rule |
| Description | The rsyslog service provides syslog-style logging by default on Red Hat Enterprise Linux 8.
The rsyslog service can be enabled with the following command:
$ sudo systemctl enable rsyslog.service |
| Rationale | The rsyslog service must be running in order to provide
logging services, which are essential to system administration. |
OVAL test results detailspackage rsyslog is installed
oval:ssg-test_service_rsyslog_package_rsyslog_installed:tst:1
true
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| rsyslog | x86_64 | (none) | 7.el8_4.2 | 8.1911.0 | 0:8.1911.0-7.el8_4.2 | 199e2f91fd431d51 | rsyslog-0:8.1911.0-7.el8_4.2.x86_64 |
Test that the rsyslog service is running
oval:ssg-test_service_running_rsyslog:tst:1
true
Following items have been found on the system:
| Unit | Property | Value |
|---|
| rsyslog.service | ActiveState | active |
systemd test
oval:ssg-test_multi_user_wants_rsyslog:tst:1
true
Following items have been found on the system:
| Unit | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency |
|---|
| multi-user.target | basic.target | sysinit.target | selinux-autorelabel-mark.service | systemd-ask-password-console.path | systemd-journald.service | sys-fs-fuse-connections.mount | systemd-udevd.service | systemd-binfmt.service | dev-hugepages.mount | loadmodules.service | swap.target | dev-mapper-vg0\x2dlv_swap.swap | systemd-journal-flush.service | systemd-machine-id-commit.service | systemd-update-done.service | sys-kernel-config.mount | dracut-shutdown.service | rngd.service | systemd-sysusers.service | lvm2-lvmpolld.socket | kmod-static-nodes.service | proc-sys-fs-binfmt_misc.automount | local-fs.target | -.mount | home.mount | tmp.mount | var-log-audit.mount | opt.mount | systemd-remount-fs.service | root.mount | var-log.mount | var-tmp.mount | var.mount | systemd-random-seed.service | systemd-update-utmp.service | dev-mqueue.mount | lvm2-monitor.service | import-state.service | systemd-firstboot.service | systemd-tmpfiles-setup-dev.service | systemd-tmpfiles-setup.service | systemd-sysctl.service | cryptsetup.target | systemd-modules-load.service | systemd-journal-catalog-update.service | nis-domainname.service | systemd-udev-trigger.service | ldconfig.service | sys-kernel-debug.mount | systemd-hwdb-update.service | paths.target | sockets.target | systemd-journald.socket | pcscd.socket | systemd-coredump.socket | dm-event.socket | systemd-journald-dev-log.socket | systemd-udevd-kernel.socket | systemd-initctl.socket | dbus.socket | systemd-udevd-control.socket | sssd-kcm.socket | timers.target | unbound-anchor.timer | systemd-tmpfiles-clean.timer | microcode.service | usbguard.service | slices.target | system.slice | -.slice | systemd-logind.service | systemd-update-utmp-runlevel.service | amazon-ssm-agent.service | getty.target | getty@tty1.service | serial-getty@ttyS0.service | remote-fs.target | sshd.service | sssd.service | dnf-makecache.timer | cloud-init.target | cloud-config.service | cloud-init-local.service | cloud-final.service | cloud-init.service | fapolicyd.service | firewalld.service | systemd-ask-password-wall.path | NetworkManager.service | chronyd.service | rsyslog.service | crond.service | vmtoolsd.service | systemd-user-sessions.service | irqbalance.service | dbus.service | auditd.service |
systemd test
oval:ssg-test_multi_user_wants_rsyslog_socket:tst:1
false
Following items have been found on the system:
| Unit | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency |
|---|
| multi-user.target | basic.target | sysinit.target | selinux-autorelabel-mark.service | systemd-ask-password-console.path | systemd-journald.service | sys-fs-fuse-connections.mount | systemd-udevd.service | systemd-binfmt.service | dev-hugepages.mount | loadmodules.service | swap.target | dev-mapper-vg0\x2dlv_swap.swap | systemd-journal-flush.service | systemd-machine-id-commit.service | systemd-update-done.service | sys-kernel-config.mount | dracut-shutdown.service | rngd.service | systemd-sysusers.service | lvm2-lvmpolld.socket | kmod-static-nodes.service | proc-sys-fs-binfmt_misc.automount | local-fs.target | -.mount | home.mount | tmp.mount | var-log-audit.mount | opt.mount | systemd-remount-fs.service | root.mount | var-log.mount | var-tmp.mount | var.mount | systemd-random-seed.service | systemd-update-utmp.service | dev-mqueue.mount | lvm2-monitor.service | import-state.service | systemd-firstboot.service | systemd-tmpfiles-setup-dev.service | systemd-tmpfiles-setup.service | systemd-sysctl.service | cryptsetup.target | systemd-modules-load.service | systemd-journal-catalog-update.service | nis-domainname.service | systemd-udev-trigger.service | ldconfig.service | sys-kernel-debug.mount | systemd-hwdb-update.service | paths.target | sockets.target | systemd-journald.socket | pcscd.socket | systemd-coredump.socket | dm-event.socket | systemd-journald-dev-log.socket | systemd-udevd-kernel.socket | systemd-initctl.socket | dbus.socket | systemd-udevd-control.socket | sssd-kcm.socket | timers.target | unbound-anchor.timer | systemd-tmpfiles-clean.timer | microcode.service | usbguard.service | slices.target | system.slice | -.slice | systemd-logind.service | systemd-update-utmp-runlevel.service | amazon-ssm-agent.service | getty.target | getty@tty1.service | serial-getty@ttyS0.service | remote-fs.target | sshd.service | sssd.service | dnf-makecache.timer | cloud-init.target | cloud-config.service | cloud-init-local.service | cloud-final.service | cloud-init.service | fapolicyd.service | firewalld.service | systemd-ask-password-wall.path | NetworkManager.service | chronyd.service | rsyslog.service | crond.service | vmtoolsd.service | systemd-user-sessions.service | irqbalance.service | dbus.service | auditd.service |
Install usbguard Packagexccdf_org.ssgproject.content_rule_package_usbguard_installed mediumCCE-82959-8
Install usbguard Package
| Rule ID | xccdf_org.ssgproject.content_rule_package_usbguard_installed |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-package_usbguard_installed:def:1 |
| Time | 2021-08-12T02:38:23+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-82959-8 References:
1418, SRG-OS-000378-GPOS-00163 |
| Description | The usbguard package can be installed with the following command:
$ sudo yum install usbguard |
| Rationale | usbguard is a software framework that helps to protect
against rogue USB devices by implementing basic whitelisting/blacklisting
capabilities based on USB device attributes.
|
OVAL test results detailspackage usbguard is installed
oval:ssg-test_package_usbguard_installed:tst:1
true
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| usbguard | x86_64 | (none) | 2.el8 | 1.0.0 | 0:1.0.0-2.el8 | 199e2f91fd431d51 | usbguard-0:1.0.0-2.el8.x86_64 |
Enable the USBGuard Servicexccdf_org.ssgproject.content_rule_service_usbguard_enabled mediumCCE-82853-3
Enable the USBGuard Service
| Rule ID | xccdf_org.ssgproject.content_rule_service_usbguard_enabled |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-service_usbguard_enabled:def:1 |
| Time | 2021-08-12T02:38:23+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-82853-3 References:
1418, FMT_SMF_EXT.1, SRG-OS-000378-GPOS-00163, RHEL-08-040140, SV-230524r599732_rule |
| Description | The USBGuard service should be enabled.
The usbguard service can be enabled with the following command:
$ sudo systemctl enable usbguard.service |
| Rationale | The usbguard service must be running in order to
enforce the USB device authorization policy for all USB devices. |
OVAL test results detailspackage usbguard is installed
oval:ssg-test_service_usbguard_package_usbguard_installed:tst:1
true
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| usbguard | x86_64 | (none) | 2.el8 | 1.0.0 | 0:1.0.0-2.el8 | 199e2f91fd431d51 | usbguard-0:1.0.0-2.el8.x86_64 |
Test that the usbguard service is running
oval:ssg-test_service_running_usbguard:tst:1
true
Following items have been found on the system:
| Unit | Property | Value |
|---|
| usbguard.service | ActiveState | active |
systemd test
oval:ssg-test_multi_user_wants_usbguard:tst:1
true
Following items have been found on the system:
| Unit | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency |
|---|
| multi-user.target | basic.target | sysinit.target | selinux-autorelabel-mark.service | systemd-ask-password-console.path | systemd-journald.service | sys-fs-fuse-connections.mount | systemd-udevd.service | systemd-binfmt.service | dev-hugepages.mount | loadmodules.service | swap.target | dev-mapper-vg0\x2dlv_swap.swap | systemd-journal-flush.service | systemd-machine-id-commit.service | systemd-update-done.service | sys-kernel-config.mount | dracut-shutdown.service | rngd.service | systemd-sysusers.service | lvm2-lvmpolld.socket | kmod-static-nodes.service | proc-sys-fs-binfmt_misc.automount | local-fs.target | -.mount | home.mount | tmp.mount | var-log-audit.mount | opt.mount | systemd-remount-fs.service | root.mount | var-log.mount | var-tmp.mount | var.mount | systemd-random-seed.service | systemd-update-utmp.service | dev-mqueue.mount | lvm2-monitor.service | import-state.service | systemd-firstboot.service | systemd-tmpfiles-setup-dev.service | systemd-tmpfiles-setup.service | systemd-sysctl.service | cryptsetup.target | systemd-modules-load.service | systemd-journal-catalog-update.service | nis-domainname.service | systemd-udev-trigger.service | ldconfig.service | sys-kernel-debug.mount | systemd-hwdb-update.service | paths.target | sockets.target | systemd-journald.socket | pcscd.socket | systemd-coredump.socket | dm-event.socket | systemd-journald-dev-log.socket | systemd-udevd-kernel.socket | systemd-initctl.socket | dbus.socket | systemd-udevd-control.socket | sssd-kcm.socket | timers.target | unbound-anchor.timer | systemd-tmpfiles-clean.timer | microcode.service | usbguard.service | slices.target | system.slice | -.slice | systemd-logind.service | systemd-update-utmp-runlevel.service | amazon-ssm-agent.service | getty.target | getty@tty1.service | serial-getty@ttyS0.service | remote-fs.target | sshd.service | sssd.service | dnf-makecache.timer | cloud-init.target | cloud-config.service | cloud-init-local.service | cloud-final.service | cloud-init.service | fapolicyd.service | firewalld.service | systemd-ask-password-wall.path | NetworkManager.service | chronyd.service | rsyslog.service | crond.service | vmtoolsd.service | systemd-user-sessions.service | irqbalance.service | dbus.service | auditd.service |
systemd test
oval:ssg-test_multi_user_wants_usbguard_socket:tst:1
false
Following items have been found on the system:
| Unit | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency |
|---|
| multi-user.target | basic.target | sysinit.target | selinux-autorelabel-mark.service | systemd-ask-password-console.path | systemd-journald.service | sys-fs-fuse-connections.mount | systemd-udevd.service | systemd-binfmt.service | dev-hugepages.mount | loadmodules.service | swap.target | dev-mapper-vg0\x2dlv_swap.swap | systemd-journal-flush.service | systemd-machine-id-commit.service | systemd-update-done.service | sys-kernel-config.mount | dracut-shutdown.service | rngd.service | systemd-sysusers.service | lvm2-lvmpolld.socket | kmod-static-nodes.service | proc-sys-fs-binfmt_misc.automount | local-fs.target | -.mount | home.mount | tmp.mount | var-log-audit.mount | opt.mount | systemd-remount-fs.service | root.mount | var-log.mount | var-tmp.mount | var.mount | systemd-random-seed.service | systemd-update-utmp.service | dev-mqueue.mount | lvm2-monitor.service | import-state.service | systemd-firstboot.service | systemd-tmpfiles-setup-dev.service | systemd-tmpfiles-setup.service | systemd-sysctl.service | cryptsetup.target | systemd-modules-load.service | systemd-journal-catalog-update.service | nis-domainname.service | systemd-udev-trigger.service | ldconfig.service | sys-kernel-debug.mount | systemd-hwdb-update.service | paths.target | sockets.target | systemd-journald.socket | pcscd.socket | systemd-coredump.socket | dm-event.socket | systemd-journald-dev-log.socket | systemd-udevd-kernel.socket | systemd-initctl.socket | dbus.socket | systemd-udevd-control.socket | sssd-kcm.socket | timers.target | unbound-anchor.timer | systemd-tmpfiles-clean.timer | microcode.service | usbguard.service | slices.target | system.slice | -.slice | systemd-logind.service | systemd-update-utmp-runlevel.service | amazon-ssm-agent.service | getty.target | getty@tty1.service | serial-getty@ttyS0.service | remote-fs.target | sshd.service | sssd.service | dnf-makecache.timer | cloud-init.target | cloud-config.service | cloud-init-local.service | cloud-final.service | cloud-init.service | fapolicyd.service | firewalld.service | systemd-ask-password-wall.path | NetworkManager.service | chronyd.service | rsyslog.service | crond.service | vmtoolsd.service | systemd-user-sessions.service | irqbalance.service | dbus.service | auditd.service |
Log USBGuard daemon audit events using Linux Auditxccdf_org.ssgproject.content_rule_configure_usbguard_auditbackend mediumCCE-82168-6
Log USBGuard daemon audit events using Linux Audit
| Rule ID | xccdf_org.ssgproject.content_rule_configure_usbguard_auditbackend |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-configure_usbguard_auditbackend:def:1 |
| Time | 2021-08-12T02:38:23+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-82168-6 References:
FMT_SMF_EXT.1, SRG-OS-000062-GPOS-00031, RHEL-08-030603, SV-230470r599732_rule |
| Description | To configure USBGuard daemon to log via Linux Audit
(as opposed directly to a file),
AuditBackend option in /etc/usbguard/usbguard-daemon.conf
needs to be set to LinuxAudit. |
| Rationale | Using the Linux Audit logging allows for centralized trace
of events. |
OVAL test results detailstests the value of AuditBackend setting in the /etc/usbguard/usbguard-daemon.conf file
oval:ssg-test_configure_usbguard_auditbackend:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/usbguard/usbguard-daemon.conf | AuditBackend=LinuxAudit |
The configuration file /etc/usbguard/usbguard-daemon.conf exists for configure_usbguard_auditbackend
oval:ssg-test_configure_usbguard_auditbackend_config_file_exists:tst:1
true
Following items have been found on the system:
| Path | Type | UID | GID | Size (B) | Permissions |
|---|
| /etc/usbguard/usbguard-daemon.conf | regular | 0 | 0 | 6419 | rw------- |
Uninstall vsftpd Packagexccdf_org.ssgproject.content_rule_package_vsftpd_removed highCCE-82414-4
Uninstall vsftpd Package
| Rule ID | xccdf_org.ssgproject.content_rule_package_vsftpd_removed |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-package_vsftpd_removed:def:1 |
| Time | 2021-08-12T02:38:23+00:00 |
| Severity | high |
| Identifiers and References | Identifiers:
CCE-82414-4 References:
11, 14, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, CCI-000366, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), PR.IP-1, PR.PT-3, SRG-OS-000480-GPOS-00227, RHEL-08-040360, SV-230558r599732_rule |
| Description | The vsftpd package can be removed with the following command: $ sudo yum erase vsftpd |
| Rationale | Removing the vsftpd package decreases the risk of its
accidental activation. |
OVAL test results detailspackage vsftpd is removed
oval:ssg-test_package_vsftpd_removed:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_vsftpd_removed:obj:1 of type
rpminfo_object
Disable Kerberos by removing host keytabxccdf_org.ssgproject.content_rule_kerberos_disable_no_keytab mediumCCE-82175-1
Disable Kerberos by removing host keytab
| Rule ID | xccdf_org.ssgproject.content_rule_kerberos_disable_no_keytab |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-kerberos_disable_no_keytab:def:1 |
| Time | 2021-08-12T02:38:23+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-82175-1 References:
0418, 1055, 1402, FTP_ITC_EXT.1, SRG-OS-000120-GPOS-00061, RHEL-08-010161, SV-230238r599732_rule |
| Description | Kerberos is not an approved key distribution method for
Common Criteria. To prevent using Kerberos by system daemons,
remove the Kerberos keytab files, especially
/etc/krb5.keytab. |
| Rationale | The key derivation function (KDF) in Kerberos is not FIPS compatible. |
OVAL test results detailsEnsure keytab file does not exist
oval:ssg-test_kerberos_disable_no_keytab:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_kerberos_disable_no_keytab:obj:1 of type
file_object
| Filepath |
|---|
| ^/etc/.+\.keytab$ |
Enable Smartcards in SSSDxccdf_org.ssgproject.content_rule_sssd_enable_smartcards mediumCCE-80909-5
Enable Smartcards in SSSD
| Rule ID | xccdf_org.ssgproject.content_rule_sssd_enable_smartcards |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sssd_enable_smartcards:def:1 |
| Time | 2021-08-12T02:38:23+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-80909-5 References:
CCI-001954, 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561, SRG-OS-000375-GPOS-00160, RHEL-08-020250, SV-230372r599732_rule, SRG-OS-000107-VMM-000530 |
| Description | SSSD should be configured to authenticate access to the system
using smart cards. To enable smart cards in SSSD, set pam_cert_auth
to true under the [pam]
section in /etc/sssd/sssd.conf. For example:
[pam]
pam_cert_auth = true
|
| Rationale | Using an authentication device, such as a CAC or token that is separate from
the information system, ensures that even if the information system is
compromised, that compromise will not affect credentials stored on the
authentication device.
Multifactor solutions that require devices separate from
information systems gaining access include, for example, hardware tokens
providing time-based or challenge-response authenticators and smart cards such
as the U.S. Government Personal Identity Verification card and the DoD Common
Access Card. |
OVAL test results detailspackage sssd-common is removed
oval:ssg-test_service_sssd_package_sssd-common_removed:tst:1
false
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| sssd-common | x86_64 | (none) | 9.el8_4.1 | 2.4.0 | 0:2.4.0-9.el8_4.1 | 199e2f91fd431d51 | sssd-common-0:2.4.0-9.el8_4.1.x86_64 |
Test that the sssd service is not running
oval:ssg-test_service_not_running_sssd:tst:1
false
Following items have been found on the system:
| Unit | Property | Value |
|---|
| sssd.service | ActiveState | active |
Test that the property LoadState from the service sssd is masked
oval:ssg-test_service_loadstate_is_masked_sssd:tst:1
false
Following items have been found on the system:
| Unit | Property | Value |
|---|
| sssd.service | LoadState | loaded |
Test that the property FragmentPath from the service sssd is set to /dev/null
oval:ssg-test_service_fragmentpath_is_dev_null_sssd:tst:1
false
Following items have been found on the system:
| Unit | Property | Value |
|---|
| sssd.service | FragmentPath | /usr/lib/systemd/system/sssd.service |
Testing if /etc/sssd/sssd.conf exists
oval:ssg-test_sssd_conf_exists:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_sssd_conf_exists:obj:1 of type
file_object
| Filepath |
|---|
| /etc/sssd/sssd.conf |
tests the value of pam_cert_auth setting in the /etc/sssd/sssd.conf file
oval:ssg-test_sssd_enable_smartcards:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_sssd_enable_smartcards:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/sssd/sssd.conf | ^[\s]*\[pam](?:[^\n\[]*\n+)+?[\s]*pam_cert_auth[\s]*=[\s]*true$ | 1 |
Configure SSSD to Expire Offline Credentialsxccdf_org.ssgproject.content_rule_sssd_offline_cred_expiration mediumCCE-82460-7
Configure SSSD to Expire Offline Credentials
| Rule ID | xccdf_org.ssgproject.content_rule_sssd_offline_cred_expiration |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sssd_offline_cred_expiration:def:1 |
| Time | 2021-08-12T02:38:23+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-82460-7 References:
1, 12, 15, 16, 5, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, CCI-002007, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, CM-6(a), IA-5(13), PR.AC-1, PR.AC-6, PR.AC-7, SRG-OS-000383-GPOS-00166, RHEL-08-020290, SV-230376r599732_rule, SRG-OS-000383-VMM-001570 |
| Description | SSSD should be configured to expire offline credentials after 1 day.
To configure SSSD to expire offline credentials, set
offline_credentials_expiration to 1 under the [pam]
section in /etc/sssd/sssd.conf. For example:
[pam]
offline_credentials_expiration = 1
|
| Rationale | If cached authentication information is out-of-date, the validity of the
authentication information may be questionable. |
OVAL test results detailspackage sssd-common is removed
oval:ssg-test_service_sssd_package_sssd-common_removed:tst:1
false
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| sssd-common | x86_64 | (none) | 9.el8_4.1 | 2.4.0 | 0:2.4.0-9.el8_4.1 | 199e2f91fd431d51 | sssd-common-0:2.4.0-9.el8_4.1.x86_64 |
Test that the sssd service is not running
oval:ssg-test_service_not_running_sssd:tst:1
false
Following items have been found on the system:
| Unit | Property | Value |
|---|
| sssd.service | ActiveState | active |
Test that the property LoadState from the service sssd is masked
oval:ssg-test_service_loadstate_is_masked_sssd:tst:1
false
Following items have been found on the system:
| Unit | Property | Value |
|---|
| sssd.service | LoadState | loaded |
Test that the property FragmentPath from the service sssd is set to /dev/null
oval:ssg-test_service_fragmentpath_is_dev_null_sssd:tst:1
false
Following items have been found on the system:
| Unit | Property | Value |
|---|
| sssd.service | FragmentPath | /usr/lib/systemd/system/sssd.service |
Testing if /etc/sssd/sssd.conf exists
oval:ssg-test_sssd_conf_exists:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_sssd_conf_exists:obj:1 of type
file_object
| Filepath |
|---|
| /etc/sssd/sssd.conf |
tests the value of offline_credentials_expiration setting in the /etc/sssd/sssd.conf file
oval:ssg-test_sssd_offline_cred_expiration:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_sssd_offline_cred_expiration:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/sssd/sssd.conf | ^[\s]*\[pam](?:[^\n\[]*\n+)+?[\s]*offline_credentials_expiration[\s]*=[\s]*1$ | 1 |
Uninstall Automatic Bug Reporting Tool (abrt)xccdf_org.ssgproject.content_rule_package_abrt_removed mediumCCE-80948-3
Uninstall Automatic Bug Reporting Tool (abrt)
| Rule ID | xccdf_org.ssgproject.content_rule_package_abrt_removed |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-package_abrt_removed:def:1 |
| Time | 2021-08-12T02:38:23+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-80948-3 References:
SRG-OS-000095-GPOS-00049, RHEL-08-040001, SV-230488r599732_rule |
| Description | The Automatic Bug Reporting Tool ( abrt) collects
and reports crash data when an application crash is detected. Using a variety
of plugins, abrt can email crash reports to system administrators, log crash
reports to files, or forward crash reports to a centralized issue tracking
system such as RHTSupport.
The abrt package can be removed with the following command:
$ sudo yum erase abrt |
| Rationale | Mishandling crash data could expose sensitive information about
vulnerabilities in software executing on the system, as well as sensitive
information from within a process's address space or registers. |
OVAL test results detailspackage abrt is removed
oval:ssg-test_package_abrt_removed:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_abrt_removed:obj:1 of type
rpminfo_object
Disable KDump Kernel Crash Analyzer (kdump)xccdf_org.ssgproject.content_rule_service_kdump_disabled mediumCCE-80878-2
Disable KDump Kernel Crash Analyzer (kdump)
| Rule ID | xccdf_org.ssgproject.content_rule_service_kdump_disabled |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-service_kdump_disabled:def:1 |
| Time | 2021-08-12T02:38:23+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-80878-2 References:
11, 12, 14, 15, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.04, DSS05.02, DSS05.03, DSS05.05, DSS06.06, CCI-000366, 164.308(a)(1)(ii)(D), 164.308(a)(3), 164.308(a)(4), 164.310(b), 164.310(c), 164.312(a), 164.312(e), 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.11.2.6, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.2.1, A.6.2.2, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), PR.AC-3, PR.IP-1, PR.PT-3, PR.PT-4, FMT_SMF_EXT.1.1, SRG-OS-000480-GPOS-00227, RHEL-08-010670, SV-230310r599780_rule |
| Description | The kdump service provides a kernel crash dump analyzer. It uses the kexec
system call to boot a secondary kernel ("capture" kernel) following a system
crash, which can load information from the crashed kernel for analysis.
The kdump service can be disabled with the following command:
$ sudo systemctl mask --now kdump.service |
| Rationale | Kernel core dumps may contain the full contents of system memory at the
time of the crash. Kernel core dumps consume a considerable amount of disk
space and may result in denial of service by exhausting the available space
on the target file system partition. Unless the system is used for kernel
development or testing, there is little need to run the kdump service. |
OVAL test results detailspackage kexec-tools is removed
oval:ssg-test_service_kdump_package_kexec-tools_removed:tst:1
false
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| kexec-tools | x86_64 | (none) | 46.el8_4.2 | 2.0.20 | 0:2.0.20-46.el8_4.2 | 199e2f91fd431d51 | kexec-tools-0:2.0.20-46.el8_4.2.x86_64 |
Test that the kdump service is not running
oval:ssg-test_service_not_running_kdump:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_service_not_running_kdump:obj:1 of type
systemdunitproperty_object
| Unit | Property |
|---|
| ^kdump\.(service|socket)$ | ActiveState |
Test that the property LoadState from the service kdump is masked
oval:ssg-test_service_loadstate_is_masked_kdump:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_service_loadstate_is_masked_kdump:obj:1 of type
systemdunitproperty_object
| Unit | Property |
|---|
| ^kdump\.(service|socket)$ | LoadState |
Test that the property FragmentPath from the service kdump is set to /dev/null
oval:ssg-test_service_fragmentpath_is_dev_null_kdump:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_service_fragmentpath_is_dev_null_kdump:obj:1 of type
systemdunitproperty_object
| Unit | Property |
|---|
| ^kdump\.(service|socket)$ | FragmentPath |
Enable the Hardware RNG Entropy Gatherer Servicexccdf_org.ssgproject.content_rule_service_rngd_enabled mediumCCE-82831-9
Enable the Hardware RNG Entropy Gatherer Service
| Rule ID | xccdf_org.ssgproject.content_rule_service_rngd_enabled |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-service_rngd_enabled:def:1 |
| Time | 2021-08-12T02:38:23+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-82831-9 References:
FCS_RBG_EXT.1, SRG-OS-000480-GPOS-00227, RHEL-08-010471, SV-230285r599779_rule |
| Description | The Hardware RNG Entropy Gatherer service should be enabled.
The rngd service can be enabled with the following command:
$ sudo systemctl enable rngd.service |
| Rationale | The rngd service
feeds random data from hardware device to kernel random device. |
OVAL test results detailspackage rng-tools is installed
oval:ssg-test_service_rngd_package_rng-tools_installed:tst:1
true
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| rng-tools | x86_64 | (none) | 3.el8 | 6.8 | 0:6.8-3.el8 | 199e2f91fd431d51 | rng-tools-0:6.8-3.el8.x86_64 |
Test that the rngd service is running
oval:ssg-test_service_running_rngd:tst:1
true
Following items have been found on the system:
| Unit | Property | Value |
|---|
| rngd.service | ActiveState | active |
systemd test
oval:ssg-test_multi_user_wants_rngd:tst:1
true
Following items have been found on the system:
| Unit | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency |
|---|
| multi-user.target | basic.target | sysinit.target | selinux-autorelabel-mark.service | systemd-ask-password-console.path | systemd-journald.service | sys-fs-fuse-connections.mount | systemd-udevd.service | systemd-binfmt.service | dev-hugepages.mount | loadmodules.service | swap.target | dev-mapper-vg0\x2dlv_swap.swap | systemd-journal-flush.service | systemd-machine-id-commit.service | systemd-update-done.service | sys-kernel-config.mount | dracut-shutdown.service | rngd.service | systemd-sysusers.service | lvm2-lvmpolld.socket | kmod-static-nodes.service | proc-sys-fs-binfmt_misc.automount | local-fs.target | -.mount | home.mount | tmp.mount | var-log-audit.mount | opt.mount | systemd-remount-fs.service | root.mount | var-log.mount | var-tmp.mount | var.mount | systemd-random-seed.service | systemd-update-utmp.service | dev-mqueue.mount | lvm2-monitor.service | import-state.service | systemd-firstboot.service | systemd-tmpfiles-setup-dev.service | systemd-tmpfiles-setup.service | systemd-sysctl.service | cryptsetup.target | systemd-modules-load.service | systemd-journal-catalog-update.service | nis-domainname.service | systemd-udev-trigger.service | ldconfig.service | sys-kernel-debug.mount | systemd-hwdb-update.service | paths.target | sockets.target | systemd-journald.socket | pcscd.socket | systemd-coredump.socket | dm-event.socket | systemd-journald-dev-log.socket | systemd-udevd-kernel.socket | systemd-initctl.socket | dbus.socket | systemd-udevd-control.socket | sssd-kcm.socket | timers.target | unbound-anchor.timer | systemd-tmpfiles-clean.timer | microcode.service | usbguard.service | slices.target | system.slice | -.slice | systemd-logind.service | systemd-update-utmp-runlevel.service | amazon-ssm-agent.service | getty.target | getty@tty1.service | serial-getty@ttyS0.service | remote-fs.target | sshd.service | sssd.service | dnf-makecache.timer | cloud-init.target | cloud-config.service | cloud-init-local.service | cloud-final.service | cloud-init.service | fapolicyd.service | firewalld.service | systemd-ask-password-wall.path | NetworkManager.service | chronyd.service | rsyslog.service | crond.service | vmtoolsd.service | systemd-user-sessions.service | irqbalance.service | dbus.service | auditd.service |
systemd test
oval:ssg-test_multi_user_wants_rngd_socket:tst:1
false
Following items have been found on the system:
| Unit | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency |
|---|
| multi-user.target | basic.target | sysinit.target | selinux-autorelabel-mark.service | systemd-ask-password-console.path | systemd-journald.service | sys-fs-fuse-connections.mount | systemd-udevd.service | systemd-binfmt.service | dev-hugepages.mount | loadmodules.service | swap.target | dev-mapper-vg0\x2dlv_swap.swap | systemd-journal-flush.service | systemd-machine-id-commit.service | systemd-update-done.service | sys-kernel-config.mount | dracut-shutdown.service | rngd.service | systemd-sysusers.service | lvm2-lvmpolld.socket | kmod-static-nodes.service | proc-sys-fs-binfmt_misc.automount | local-fs.target | -.mount | home.mount | tmp.mount | var-log-audit.mount | opt.mount | systemd-remount-fs.service | root.mount | var-log.mount | var-tmp.mount | var.mount | systemd-random-seed.service | systemd-update-utmp.service | dev-mqueue.mount | lvm2-monitor.service | import-state.service | systemd-firstboot.service | systemd-tmpfiles-setup-dev.service | systemd-tmpfiles-setup.service | systemd-sysctl.service | cryptsetup.target | systemd-modules-load.service | systemd-journal-catalog-update.service | nis-domainname.service | systemd-udev-trigger.service | ldconfig.service | sys-kernel-debug.mount | systemd-hwdb-update.service | paths.target | sockets.target | systemd-journald.socket | pcscd.socket | systemd-coredump.socket | dm-event.socket | systemd-journald-dev-log.socket | systemd-udevd-kernel.socket | systemd-initctl.socket | dbus.socket | systemd-udevd-control.socket | sssd-kcm.socket | timers.target | unbound-anchor.timer | systemd-tmpfiles-clean.timer | microcode.service | usbguard.service | slices.target | system.slice | -.slice | systemd-logind.service | systemd-update-utmp-runlevel.service | amazon-ssm-agent.service | getty.target | getty@tty1.service | serial-getty@ttyS0.service | remote-fs.target | sshd.service | sssd.service | dnf-makecache.timer | cloud-init.target | cloud-config.service | cloud-init-local.service | cloud-final.service | cloud-init.service | fapolicyd.service | firewalld.service | systemd-ask-password-wall.path | NetworkManager.service | chronyd.service | rsyslog.service | crond.service | vmtoolsd.service | systemd-user-sessions.service | irqbalance.service | dbus.service | auditd.service |
Configure System to Forward All Mail For The Root Accountxccdf_org.ssgproject.content_rule_postfix_client_configure_mail_alias lowCCE-82381-5
Configure System to Forward All Mail For The Root Account
| Rule ID | xccdf_org.ssgproject.content_rule_postfix_client_configure_mail_alias |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-postfix_client_configure_mail_alias:def:1 |
| Time | 2021-08-12T02:38:23+00:00 |
| Severity | low |
| Identifiers and References | Identifiers:
CCE-82381-5 References:
BP28(R49), CCI-000366, CM-6(a), SRG-OS-000046-GPOS-00022, RHEL-08-030030, SV-230389r599732_rule |
| Description | Make sure that mails delivered to root user are forwarded to a monitored
email address. Make sure that the address
system.administrator@mail.mil is a valid email address
reachable from the system in question. Use the following command to
configure the alias:
$ sudo echo "root: system.administrator@mail.mil" >> /etc/aliases
$ sudo newaliases |
| Rationale | A number of system services utilize email messages sent to the root user to
notify system administrators of active or impending issues. These messages must
be forwarded to at least one monitored email address. |
OVAL test results detailsCheck if root has the correct mail alias.
oval:ssg-test_postfix_client_configure_mail_alias:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/aliases | root: system.administrator@mail.mil |
Uninstall Sendmail Packagexccdf_org.ssgproject.content_rule_package_sendmail_removed mediumCCE-81039-0
Uninstall Sendmail Package
| Rule ID | xccdf_org.ssgproject.content_rule_package_sendmail_removed |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-package_sendmail_removed:def:1 |
| Time | 2021-08-12T02:38:23+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-81039-0 References:
BP28(R1), 11, 14, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), PR.IP-1, PR.PT-3, SRG-OS-000480-GPOS-00227, RHEL-08-040002, SV-230489r599732_rule |
| Description | Sendmail is not the default mail transfer agent and is
not installed by default.
The sendmail package can be removed with the following command:
$ sudo yum erase sendmail |
| Rationale | The sendmail software was not developed with security in mind and
its design prevents it from being effectively contained by SELinux. Postfix
should be used instead. |
OVAL test results detailspackage sendmail is removed
oval:ssg-test_package_sendmail_removed:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_sendmail_removed:obj:1 of type
rpminfo_object
Uninstall tftp-server Packagexccdf_org.ssgproject.content_rule_package_tftp-server_removed highCCE-82436-7
Uninstall tftp-server Package
| Rule ID | xccdf_org.ssgproject.content_rule_package_tftp-server_removed |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-package_tftp-server_removed:def:1 |
| Time | 2021-08-12T02:38:23+00:00 |
| Severity | high |
| Identifiers and References | Identifiers:
CCE-82436-7 References:
11, 12, 14, 15, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.04, DSS05.02, DSS05.03, DSS05.05, DSS06.06, CCI-000318, CCI-000366, CCI-000368, CCI-001812, CCI-001813, CCI-001814, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.11.2.6, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.2.1, A.6.2.2, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), PR.AC-3, PR.IP-1, PR.PT-3, PR.PT-4, SRG-OS-000480-GPOS-00227, RHEL-08-040190, SV-230533r599732_rule |
| Description | The tftp-server package can be removed with the following command: $ sudo yum erase tftp-server |
| Rationale | Removing the tftp-server package decreases the risk of the accidental
(or intentional) activation of tftp services.
If TFTP is required for operational support (such as transmission of router
configurations), its use must be documented with the Information Systems
Securty Manager (ISSM), restricted to only authorized personnel, and have
access control rules established. |
OVAL test results detailspackage tftp-server is removed
oval:ssg-test_package_tftp-server_removed:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_tftp-server_removed:obj:1 of type
rpminfo_object
Ensure tftp Daemon Uses Secure Modexccdf_org.ssgproject.content_rule_tftpd_uses_secure_mode highCCE-82434-2
Ensure tftp Daemon Uses Secure Mode
| Rule ID | xccdf_org.ssgproject.content_rule_tftpd_uses_secure_mode |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-tftpd_uses_secure_mode:def:1 |
| Time | 2021-08-12T02:38:23+00:00 |
| Severity | high |
| Identifiers and References | Identifiers:
CCE-82434-2 References:
11, 12, 13, 14, 15, 16, 18, 3, 5, 8, 9, APO01.06, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.04, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-000366, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.11.2.6, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.6.2.1, A.6.2.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(b), AC-6, CM-7(a), PR.AC-3, PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-3, PR.PT-4, SRG-OS-000480-GPOS-00227, RHEL-08-040350, SV-230557r599732_rule |
| Description | If running the tftp service is necessary, it should be configured
to change its root directory at startup. To do so, ensure
/etc/xinetd.d/tftp includes -s as a command line argument, as shown in
the following example:
server_args = -s /var/lib/tftpboot |
| Rationale | Using the -s option causes the TFTP service to only serve files from the
given directory. Serving files from an intentionally-specified directory
reduces the risk of sharing files which should remain private. |
OVAL test results detailspackage tftp-server is removed
oval:ssg-test_package_tftp-server_removed:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_tftp-server_removed:obj:1 of type
rpminfo_object
tftpd secure mode
oval:ssg-test_tftpd_uses_secure_mode:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_tftpd_uses_secure_mode:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/xinetd.d/tftp | ^[\s]*server_args[\s]+=[\s]+.*?-s[\s]+([/\.\w]+).*$ | 1 |
Uninstall telnet-server Packagexccdf_org.ssgproject.content_rule_package_telnet-server_removed highCCE-82182-7
Uninstall telnet-server Package
| Rule ID | xccdf_org.ssgproject.content_rule_package_telnet-server_removed |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-package_telnet-server_removed:def:1 |
| Time | 2021-08-12T02:38:23+00:00 |
| Severity | high |
| Identifiers and References | Identifiers:
CCE-82182-7 References:
2.1.1, 11, 12, 14, 15, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.04, DSS05.02, DSS05.03, DSS05.05, DSS06.06, CCI-000381, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.11.2.6, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.2.1, A.6.2.2, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), PR.AC-3, PR.IP-1, PR.PT-3, PR.PT-4, SRG-OS-000095-GPOS-00049, RHEL-08-040000, SV-230487r599732_rule |
| Description | The telnet-server package can be removed with the following command:
$ sudo yum erase telnet-server |
| Rationale | It is detrimental for operating systems to provide, or install by default,
functionality exceeding requirements or mission objectives. These
unnecessary capabilities are often overlooked and therefore may remain
unsecure. They increase the risk to the platform by providing additional
attack vectors.
The telnet service provides an unencrypted remote access service which does
not provide for the confidentiality and integrity of user passwords or the
remote session. If a privileged user were to login using this service, the
privileged user password could be compromised.
Removing the telnet-server package decreases the risk of the
telnet service's accidental (or intentional) activation. |
OVAL test results detailspackage telnet-server is removed
oval:ssg-test_package_telnet-server_removed:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_telnet-server_removed:obj:1 of type
rpminfo_object
Uninstall rsh-server Packagexccdf_org.ssgproject.content_rule_package_rsh-server_removed highCCE-82184-3
Uninstall rsh-server Package
| Rule ID | xccdf_org.ssgproject.content_rule_package_rsh-server_removed |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-package_rsh-server_removed:def:1 |
| Time | 2021-08-12T02:38:23+00:00 |
| Severity | high |
| Identifiers and References | Identifiers:
CCE-82184-3 References:
11, 12, 14, 15, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.04, DSS05.02, DSS05.03, DSS05.05, DSS06.06, CCI-000381, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.11.2.6, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.2.1, A.6.2.2, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), IA-5(1)(c), PR.AC-3, PR.IP-1, PR.PT-3, PR.PT-4, SRG-OS-000095-GPOS-00049, RHEL-08-040010, SV-230492r599732_rule |
| Description | The rsh-server package can be removed with the following command:
$ sudo yum erase rsh-server |
| Rationale | The rsh-server service provides unencrypted remote access service which does not
provide for the confidentiality and integrity of user passwords or the remote session and has very weak
authentication. If a privileged user were to login using this service, the privileged user password
could be compromised. The rsh-server package provides several obsolete and insecure
network services. Removing it decreases the risk of those services' accidental (or intentional)
activation. |
OVAL test results detailspackage rsh-server is removed
oval:ssg-test_package_rsh-server_removed:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_rsh-server_removed:obj:1 of type
rpminfo_object
Remove Host-Based Authentication Filesxccdf_org.ssgproject.content_rule_no_host_based_files highCCE-84055-3
Remove Host-Based Authentication Files
| Rule ID | xccdf_org.ssgproject.content_rule_no_host_based_files |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-no_host_based_files:def:1 |
| Time | 2021-08-12T02:38:25+00:00 |
| Severity | high |
| Identifiers and References | Identifiers:
CCE-84055-3 References:
CCI-000366, SRG-OS-000480-GPOS-00227, RHEL-08-010460, SV-230283r599732_rule |
| Description | The shosts.equiv file list remote hosts
and users that are trusted by the local system.
To remove these files, run the following command to delete them from any
location:
$ sudo rm /[path]/[to]/[file]/shosts.equiv |
| Rationale | The shosts.equiv files are used to configure host-based authentication for the
system via SSH. Host-based authentication is not sufficient for preventing
unauthorized access to the system, as it does not require interactive
identification and authentication of a connection request, or for the use of
two-factor authentication. |
OVAL test results detailslook for shosts.equiv in /
oval:ssg-test_no_shosts_equiv:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_no_shosts_equiv_files_root:obj:1 of type
file_object
| Behaviors | Path | Filename |
|---|
| no value | / | shosts.equiv |
Remove User Host-Based Authentication Filesxccdf_org.ssgproject.content_rule_no_user_host_based_files highCCE-84056-1
Remove User Host-Based Authentication Files
| Rule ID | xccdf_org.ssgproject.content_rule_no_user_host_based_files |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-no_user_host_based_files:def:1 |
| Time | 2021-08-12T02:38:27+00:00 |
| Severity | high |
| Identifiers and References | Identifiers:
CCE-84056-1 References:
CCI-000366, SRG-OS-000480-GPOS-00227, RHEL-08-010470, SV-230284r599732_rule |
| Description | The ~/.shosts (in each user's home directory) files
list remote hosts and users that are trusted by the
local system. To remove these files, run the following command
to delete them from any location:
$ sudo find / -name '.shosts' -type f -delete |
| Rationale | The .shosts files are used to configure host-based authentication for
individual users or the system via SSH. Host-based authentication is not
sufficient for preventing unauthorized access to the system, as it does not
require interactive identification and authentication of a connection request,
or for the use of two-factor authentication. |
OVAL test results detailslook for .shosts in /
oval:ssg-test_no_shosts:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_no_shosts_files_root:obj:1 of type
file_object
| Behaviors | Path | Filename |
|---|
| no value | / | .shosts |
Disable SSH Root Loginxccdf_org.ssgproject.content_rule_sshd_disable_root_login mediumCCE-80901-2
Disable SSH Root Login
| Rule ID | xccdf_org.ssgproject.content_rule_sshd_disable_root_login |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sshd_disable_root_login:def:1 |
| Time | 2021-08-12T02:38:28+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-80901-2 References:
BP28(R19), NT007(R21), 5.2.10, 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 5.5.6, APO01.06, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.02, DSS06.03, DSS06.06, DSS06.10, 3.1.1, 3.1.5, CCI-000366, CCI-000770, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.18.1.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, AC-6(2), AC-17(a), IA-2, IA-2(5), CM-7(a), CM-7(b), CM-6(a), PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, PR.DS-5, PR.PT-3, FIA_UAU.1, SRG-OS-000109-GPOS-00056, SRG-OS-000480-GPOS-00227, RHEL-08-010550, SV-230296r599732_rule, SRG-OS-000480-VMM-002000 |
| Description | The root user should never be allowed to login to a
system directly over a network.
To disable root login via SSH, add or correct the following line
in /etc/ssh/sshd_config:
PermitRootLogin no |
| Rationale | Even though the communications channel may be encrypted, an additional layer of
security is gained by extending the policy of not logging directly on as root.
In addition, logging in with a user-specific account provides individual
accountability of actions performed on the system and also helps to minimize
direct attack attempts on root's password. |
OVAL test results detailsVerify if Profile set Value sshd_required as not required
oval:ssg-test_sshd_not_required:tst:1
false
Following items have been found on the system:
| Var ref | Value |
|---|
| oval:ssg-sshd_required:var:1 | 0 |
Verify if Value of sshd_required is the default
oval:ssg-test_sshd_requirement_unset:tst:1
true
Following items have been found on the system:
| Var ref | Value |
|---|
| oval:ssg-sshd_required:var:1 | 0 |
package openssh-server is removed
oval:ssg-test_package_openssh-server_removed:tst:1
false
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| openssh-server | x86_64 | (none) | 6.el8_4.2 | 8.0p1 | 0:8.0p1-6.el8_4.2 | 199e2f91fd431d51 | openssh-server-0:8.0p1-6.el8_4.2.x86_64 |
Verify if Profile set Value sshd_required as required
oval:ssg-test_sshd_required:tst:1
false
Following items have been found on the system:
| Var ref | Value |
|---|
| oval:ssg-sshd_required:var:1 | 0 |
Verify if Value of sshd_required is the default
oval:ssg-test_sshd_requirement_unset:tst:1
true
Following items have been found on the system:
| Var ref | Value |
|---|
| oval:ssg-sshd_required:var:1 | 0 |
package openssh-server is installed
oval:ssg-test_package_openssh-server_installed:tst:1
true
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| openssh-server | x86_64 | (none) | 6.el8_4.2 | 8.0p1 | 0:8.0p1-6.el8_4.2 | 199e2f91fd431d51 | openssh-server-0:8.0p1-6.el8_4.2.x86_64 |
tests the value of PermitRootLogin setting in the /etc/ssh/sshd_config file
oval:ssg-test_sshd_disable_root_login:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/ssh/sshd_config | PermitRootLogin no |
SSH server uses strong entropy to seedxccdf_org.ssgproject.content_rule_sshd_use_strong_rng mediumCCE-82462-3
SSH server uses strong entropy to seed
| Rule ID | xccdf_org.ssgproject.content_rule_sshd_use_strong_rng |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sshd_use_strong_rng:def:1 |
| Time | 2021-08-12T02:38:28+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-82462-3 References:
FCS_RBG_EXT.1.2, SRG-OS-000480-GPOS-00227 |
| Description | To set up SSH server to use entropy from a high-quality source, edit the /etc/sysconfig/sshd file.
The SSH_USE_STRONG_RNG configuration value determines how many bytes of entropy to use, so
make sure that the file contains line
SSH_USE_STRONG_RNG=32 |
| Rationale | SSH implementation in RHEL8 uses the openssl library, which doesn't use high-entropy sources by default.
Randomness is needed to generate data-encryption keys, and as plaintext padding and initialization vectors
in encryption algorithms, and high-quality entropy elliminates the possibility that the output of
the random number generator used by SSH would be known to potential attackers. |
| Warnings | warning
This setting can cause problems on computers without the hardware random generator, because insufficient entropy causes the connection to be blocked until enough entropy is available. |
OVAL test results detailstests the value of SSH_USE_STRONG_RNG setting in the /etc/sysconfig/sshd file
oval:ssg-test_sshd_use_strong_rng:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/sysconfig/sshd | SSH_USE_STRONG_RNG=32 |
Disable SSH Support for User Known Hostsxccdf_org.ssgproject.content_rule_sshd_disable_user_known_hosts mediumCCE-80902-0
Disable SSH Support for User Known Hosts
| Rule ID | xccdf_org.ssgproject.content_rule_sshd_disable_user_known_hosts |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sshd_disable_user_known_hosts:def:1 |
| Time | 2021-08-12T02:38:28+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-80902-0 References:
11, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, 3.1.12, CCI-000366, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 4.3.4.3.2, 4.3.4.3.3, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, AC-17(a), CM-7(a), CM-7(b), CM-6(a), PR.IP-1, FIA_UAU.1, SRG-OS-000480-GPOS-00227, RHEL-08-010520, SV-230290r599732_rule |
| Description | SSH can allow system users to connect to systems if a cache of the remote
systems public keys is available. This should be disabled.
To ensure this behavior is disabled, add or correct the
following line in /etc/ssh/sshd_config:
IgnoreUserKnownHosts yes |
| Rationale | Configuring this setting for the SSH daemon provides additional
assurance that remote login via SSH will require a password, even
in the event of misconfiguration elsewhere. |
OVAL test results detailsVerify if Profile set Value sshd_required as not required
oval:ssg-test_sshd_not_required:tst:1
false
Following items have been found on the system:
| Var ref | Value |
|---|
| oval:ssg-sshd_required:var:1 | 0 |
Verify if Value of sshd_required is the default
oval:ssg-test_sshd_requirement_unset:tst:1
true
Following items have been found on the system:
| Var ref | Value |
|---|
| oval:ssg-sshd_required:var:1 | 0 |
package openssh-server is removed
oval:ssg-test_package_openssh-server_removed:tst:1
false
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| openssh-server | x86_64 | (none) | 6.el8_4.2 | 8.0p1 | 0:8.0p1-6.el8_4.2 | 199e2f91fd431d51 | openssh-server-0:8.0p1-6.el8_4.2.x86_64 |
Verify if Profile set Value sshd_required as required
oval:ssg-test_sshd_required:tst:1
false
Following items have been found on the system:
| Var ref | Value |
|---|
| oval:ssg-sshd_required:var:1 | 0 |
Verify if Value of sshd_required is the default
oval:ssg-test_sshd_requirement_unset:tst:1
true
Following items have been found on the system:
| Var ref | Value |
|---|
| oval:ssg-sshd_required:var:1 | 0 |
package openssh-server is installed
oval:ssg-test_package_openssh-server_installed:tst:1
true
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| openssh-server | x86_64 | (none) | 6.el8_4.2 | 8.0p1 | 0:8.0p1-6.el8_4.2 | 199e2f91fd431d51 | openssh-server-0:8.0p1-6.el8_4.2.x86_64 |
tests the value of IgnoreUserKnownHosts setting in the /etc/ssh/sshd_config file
oval:ssg-test_sshd_disable_user_known_hosts:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/ssh/sshd_config | IgnoreUserKnownHosts yes |
Enable Use of Strict Mode Checkingxccdf_org.ssgproject.content_rule_sshd_enable_strictmodes mediumCCE-80904-6
Enable Use of Strict Mode Checking
| Rule ID | xccdf_org.ssgproject.content_rule_sshd_enable_strictmodes |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sshd_enable_strictmodes:def:1 |
| Time | 2021-08-12T02:38:28+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-80904-6 References:
12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 3.1.12, CCI-000366, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, AC-6, AC-17(a), CM-6(a), PR.AC-4, PR.DS-5, SRG-OS-000480-GPOS-00227, RHEL-08-010500, SV-230288r599732_rule, SRG-OS-000480-VMM-002000 |
| Description | SSHs StrictModes option checks file and ownership permissions in
the user's home directory .ssh folder before accepting login. If world-
writable permissions are found, logon is rejected. To enable StrictModes in SSH,
add or correct the following line in the /etc/ssh/sshd_config file:
StrictModes yes |
| Rationale | If other users have access to modify user-specific SSH configuration files, they
may be able to log into the system as another user. |
OVAL test results detailsVerify if Profile set Value sshd_required as not required
oval:ssg-test_sshd_not_required:tst:1
false
Following items have been found on the system:
| Var ref | Value |
|---|
| oval:ssg-sshd_required:var:1 | 0 |
Verify if Value of sshd_required is the default
oval:ssg-test_sshd_requirement_unset:tst:1
true
Following items have been found on the system:
| Var ref | Value |
|---|
| oval:ssg-sshd_required:var:1 | 0 |
package openssh-server is removed
oval:ssg-test_package_openssh-server_removed:tst:1
false
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| openssh-server | x86_64 | (none) | 6.el8_4.2 | 8.0p1 | 0:8.0p1-6.el8_4.2 | 199e2f91fd431d51 | openssh-server-0:8.0p1-6.el8_4.2.x86_64 |
Verify if Profile set Value sshd_required as required
oval:ssg-test_sshd_required:tst:1
false
Following items have been found on the system:
| Var ref | Value |
|---|
| oval:ssg-sshd_required:var:1 | 0 |
Verify if Value of sshd_required is the default
oval:ssg-test_sshd_requirement_unset:tst:1
true
Following items have been found on the system:
| Var ref | Value |
|---|
| oval:ssg-sshd_required:var:1 | 0 |
package openssh-server is installed
oval:ssg-test_package_openssh-server_installed:tst:1
true
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| openssh-server | x86_64 | (none) | 6.el8_4.2 | 8.0p1 | 0:8.0p1-6.el8_4.2 | 199e2f91fd431d51 | openssh-server-0:8.0p1-6.el8_4.2.x86_64 |
tests the value of StrictModes setting in the /etc/ssh/sshd_config file
oval:ssg-test_sshd_enable_strictmodes:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/ssh/sshd_config | StrictModes yes |
tests the absence of StrictModes setting in the /etc/ssh/sshd_config file
oval:ssg-test_sshd_enable_strictmodes_default_not_overriden:tst:1
false
Following items have been found on the system:
| Path | Content |
|---|
| /etc/ssh/sshd_config | StrictModes |
Do Not Allow SSH Environment Optionsxccdf_org.ssgproject.content_rule_sshd_do_not_permit_user_env mediumCCE-80903-8
Do Not Allow SSH Environment Options
| Rule ID | xccdf_org.ssgproject.content_rule_sshd_do_not_permit_user_env |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sshd_do_not_permit_user_env:def:1 |
| Time | 2021-08-12T02:38:28+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-80903-8 References:
5.2.12, 11, 3, 9, 5.5.6, BAI10.01, BAI10.02, BAI10.03, BAI10.05, 3.1.12, CCI-000366, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 4.3.4.3.2, 4.3.4.3.3, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, AC-17(a), CM-7(a), CM-7(b), CM-6(a), PR.IP-1, SRG-OS-000480-GPOS-00229, RHEL-08-010830, SV-230330r599732_rule, SRG-OS-000480-VMM-002000 |
| Description | To ensure users are not able to override environment
variables of the SSH daemon, add or correct the following line
in /etc/ssh/sshd_config:
PermitUserEnvironment no |
| Rationale | SSH environment options potentially allow users to bypass
access restriction in some configurations. |
OVAL test results detailsVerify if Profile set Value sshd_required as not required
oval:ssg-test_sshd_not_required:tst:1
false
Following items have been found on the system:
| Var ref | Value |
|---|
| oval:ssg-sshd_required:var:1 | 0 |
Verify if Value of sshd_required is the default
oval:ssg-test_sshd_requirement_unset:tst:1
true
Following items have been found on the system:
| Var ref | Value |
|---|
| oval:ssg-sshd_required:var:1 | 0 |
package openssh-server is removed
oval:ssg-test_package_openssh-server_removed:tst:1
false
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| openssh-server | x86_64 | (none) | 6.el8_4.2 | 8.0p1 | 0:8.0p1-6.el8_4.2 | 199e2f91fd431d51 | openssh-server-0:8.0p1-6.el8_4.2.x86_64 |
Verify if Profile set Value sshd_required as required
oval:ssg-test_sshd_required:tst:1
false
Following items have been found on the system:
| Var ref | Value |
|---|
| oval:ssg-sshd_required:var:1 | 0 |
Verify if Value of sshd_required is the default
oval:ssg-test_sshd_requirement_unset:tst:1
true
Following items have been found on the system:
| Var ref | Value |
|---|
| oval:ssg-sshd_required:var:1 | 0 |
package openssh-server is installed
oval:ssg-test_package_openssh-server_installed:tst:1
true
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| openssh-server | x86_64 | (none) | 6.el8_4.2 | 8.0p1 | 0:8.0p1-6.el8_4.2 | 199e2f91fd431d51 | openssh-server-0:8.0p1-6.el8_4.2.x86_64 |
tests the value of PermitUserEnvironment setting in the /etc/ssh/sshd_config file
oval:ssg-test_sshd_do_not_permit_user_env:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/ssh/sshd_config | PermitUserEnvironment no |
tests the absence of PermitUserEnvironment setting in the /etc/ssh/sshd_config file
oval:ssg-test_sshd_do_not_permit_user_env_default_not_overriden:tst:1
false
Following items have been found on the system:
| Path | Content |
|---|
| /etc/ssh/sshd_config | PermitUserEnvironment |
Enable SSH Warning Bannerxccdf_org.ssgproject.content_rule_sshd_enable_warning_banner mediumCCE-80905-3
Enable SSH Warning Banner
| Rule ID | xccdf_org.ssgproject.content_rule_sshd_enable_warning_banner |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sshd_enable_warning_banner:def:1 |
| Time | 2021-08-12T02:38:28+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-80905-3 References:
5.2.15, 1, 12, 15, 16, 5.5.6, DSS05.04, DSS05.10, DSS06.10, 3.1.9, CCI-000048, CCI-000050, CCI-001384, CCI-001385, CCI-001386, CCI-001387, CCI-001388, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, AC-8(a), AC-8(c), AC-17(a), CM-6(a), PR.AC-7, FTA_TAB.1, SRG-OS-000023-GPOS-00006, SRG-OS-000024-GPOS-00007, SRG-OS-000228-GPOS-00088, RHEL-08-010040, SV-230225r599732_rule, SRG-OS-000023-VMM-000060, SRG-OS-000024-VMM-000070 |
| Description | To enable the warning banner and ensure it is consistent
across the system, add or correct the following line in /etc/ssh/sshd_config:
Banner /etc/issue
Another section contains information on how to create an
appropriate system-wide warning banner. |
| Rationale | The warning message reinforces policy awareness during the logon process and
facilitates possible legal action against attackers. Alternatively, systems
whose ownership should not be obvious should ensure usage of a banner that does
not provide easy attribution. |
OVAL test results detailsVerify if Profile set Value sshd_required as not required
oval:ssg-test_sshd_not_required:tst:1
false
Following items have been found on the system:
| Var ref | Value |
|---|
| oval:ssg-sshd_required:var:1 | 0 |
Verify if Value of sshd_required is the default
oval:ssg-test_sshd_requirement_unset:tst:1
true
Following items have been found on the system:
| Var ref | Value |
|---|
| oval:ssg-sshd_required:var:1 | 0 |
package openssh-server is removed
oval:ssg-test_package_openssh-server_removed:tst:1
false
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| openssh-server | x86_64 | (none) | 6.el8_4.2 | 8.0p1 | 0:8.0p1-6.el8_4.2 | 199e2f91fd431d51 | openssh-server-0:8.0p1-6.el8_4.2.x86_64 |
Verify if Profile set Value sshd_required as required
oval:ssg-test_sshd_required:tst:1
false
Following items have been found on the system:
| Var ref | Value |
|---|
| oval:ssg-sshd_required:var:1 | 0 |
Verify if Value of sshd_required is the default
oval:ssg-test_sshd_requirement_unset:tst:1
true
Following items have been found on the system:
| Var ref | Value |
|---|
| oval:ssg-sshd_required:var:1 | 0 |
package openssh-server is installed
oval:ssg-test_package_openssh-server_installed:tst:1
true
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| openssh-server | x86_64 | (none) | 6.el8_4.2 | 8.0p1 | 0:8.0p1-6.el8_4.2 | 199e2f91fd431d51 | openssh-server-0:8.0p1-6.el8_4.2.x86_64 |
tests the value of Banner setting in the /etc/ssh/sshd_config file
oval:ssg-test_sshd_enable_warning_banner:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/ssh/sshd_config | banner /etc/issue |
Set SSH Client Alive Count Maxxccdf_org.ssgproject.content_rule_sshd_set_keepalive mediumCCE-80907-9
Set SSH Client Alive Count Max
| Rule ID | xccdf_org.ssgproject.content_rule_sshd_set_keepalive |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sshd_set_keepalive:def:1 |
| Time | 2021-08-12T02:38:28+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-80907-9 References:
5.2.13, 1, 12, 13, 14, 15, 16, 18, 3, 5, 7, 8, 5.5.6, APO13.01, BAI03.01, BAI03.02, BAI03.03, DSS01.03, DSS03.05, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, 3.1.11, CCI-000879, CCI-001133, CCI-002361, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 6.2, A.12.4.1, A.12.4.3, A.14.1.1, A.14.2.1, A.14.2.5, A.18.1.4, A.6.1.2, A.6.1.5, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, AC-2(5), AC-12, AC-17(a), SC-10, CM-6(a), DE.CM-1, DE.CM-3, PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, PR.IP-2, SRG-OS-000163-GPOS-00072, SRG-OS-000279-GPOS-00109, SRG-OS-000480-VMM-002000 |
| Description | The SSH server sends at most ClientAliveCountMax messages
during a SSH session and waits for a response from the SSH client.
The option ClientAliveInterval configures timeout after
each ClientAliveCountMax message. If the SSH server does not
receive a response from the client, then the connection is considered idle
and terminated.
To ensure the SSH idle timeout occurs precisely when the
ClientAliveInterval is set, set the ClientAliveCountMax to
value of 0. |
| Rationale | This ensures a user login will be terminated as soon as the ClientAliveInterval
is reached. |
OVAL test results detailsVerify if Profile set Value sshd_required as not required
oval:ssg-test_sshd_not_required:tst:1
false
Following items have been found on the system:
| Var ref | Value |
|---|
| oval:ssg-sshd_required:var:1 | 0 |
Verify if Value of sshd_required is the default
oval:ssg-test_sshd_requirement_unset:tst:1
true
Following items have been found on the system:
| Var ref | Value |
|---|
| oval:ssg-sshd_required:var:1 | 0 |
package openssh-server is removed
oval:ssg-test_package_openssh-server_removed:tst:1
false
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| openssh-server | x86_64 | (none) | 6.el8_4.2 | 8.0p1 | 0:8.0p1-6.el8_4.2 | 199e2f91fd431d51 | openssh-server-0:8.0p1-6.el8_4.2.x86_64 |
Verify if Profile set Value sshd_required as required
oval:ssg-test_sshd_required:tst:1
false
Following items have been found on the system:
| Var ref | Value |
|---|
| oval:ssg-sshd_required:var:1 | 0 |
Verify if Value of sshd_required is the default
oval:ssg-test_sshd_requirement_unset:tst:1
true
Following items have been found on the system:
| Var ref | Value |
|---|
| oval:ssg-sshd_required:var:1 | 0 |
package openssh-server is installed
oval:ssg-test_package_openssh-server_installed:tst:1
true
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| openssh-server | x86_64 | (none) | 6.el8_4.2 | 8.0p1 | 0:8.0p1-6.el8_4.2 | 199e2f91fd431d51 | openssh-server-0:8.0p1-6.el8_4.2.x86_64 |
tests the value of ClientAliveCountMax setting in the /etc/ssh/sshd_config file
oval:ssg-test_sshd_set_keepalive:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/ssh/sshd_config | ClientAliveCountMax 0 |
Set SSH Idle Timeout Intervalxccdf_org.ssgproject.content_rule_sshd_set_idle_timeout mediumCCE-80906-1
Set SSH Idle Timeout Interval
| Rule ID | xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sshd_set_idle_timeout:def:1 |
| Time | 2021-08-12T02:38:28+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-80906-1 References:
BP28(R29), 5.2.13, 1, 12, 13, 14, 15, 16, 18, 3, 5, 7, 8, 5.5.6, APO13.01, BAI03.01, BAI03.02, BAI03.03, DSS01.03, DSS03.05, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, 3.1.11, CCI-000879, CCI-001133, CCI-002361, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 6.2, A.12.4.1, A.12.4.3, A.14.1.1, A.14.2.1, A.14.2.5, A.18.1.4, A.6.1.2, A.6.1.5, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, CM-6(a), AC-17(a), AC-2(5), AC-12, AC-17(a), SC-10, CM-6(a), DE.CM-1, DE.CM-3, PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, PR.IP-2, Req-8.1.8, SRG-OS-000126-GPOS-00066, SRG-OS-000163-GPOS-00072, SRG-OS-000279-GPOS-00109, SRG-OS-000395-GPOS-00175, RHEL-08-010200, SV-230244r599732_rule, SRG-OS-000480-VMM-002000 |
| Description | SSH allows administrators to set an idle timeout interval. After this interval
has passed, the idle user will be automatically logged out.
To set an idle timeout interval, edit the following line in /etc/ssh/sshd_config as
follows:
ClientAliveInterval 600
The timeout interval is given in seconds. For example, have a timeout
of 10 minutes, set interval to 600.
If a shorter timeout has already been set for the login shell, that value will
preempt any SSH setting made in /etc/ssh/sshd_config. Keep in mind that
some processes may stop SSH from correctly detecting that the user is idle. |
| Rationale | Terminating an idle ssh session within a short time period reduces the window of
opportunity for unauthorized personnel to take control of a management session
enabled on the console or console port that has been let unattended. |
| Warnings | warning
SSH disconnecting idle clients will not have desired effect without also
configuring ClientAliveCountMax in the SSH service configuration. warning
Following conditions may prevent the SSH session to time out:
- Remote processes on the remote machine generates output. As the output has to be transferred over the network to the client, the timeout is reset every time such transfer happens.
- Any
scp or sftp activity by the same user to the host resets the timeout.
|
OVAL test results detailsVerify if Profile set Value sshd_required as not required
oval:ssg-test_sshd_not_required:tst:1
false
Following items have been found on the system:
| Var ref | Value |
|---|
| oval:ssg-sshd_required:var:1 | 0 |
Verify if Value of sshd_required is the default
oval:ssg-test_sshd_requirement_unset:tst:1
true
Following items have been found on the system:
| Var ref | Value |
|---|
| oval:ssg-sshd_required:var:1 | 0 |
package openssh-server is removed
oval:ssg-test_package_openssh-server_removed:tst:1
false
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| openssh-server | x86_64 | (none) | 6.el8_4.2 | 8.0p1 | 0:8.0p1-6.el8_4.2 | 199e2f91fd431d51 | openssh-server-0:8.0p1-6.el8_4.2.x86_64 |
Verify if Profile set Value sshd_required as required
oval:ssg-test_sshd_required:tst:1
false
Following items have been found on the system:
| Var ref | Value |
|---|
| oval:ssg-sshd_required:var:1 | 0 |
Verify if Value of sshd_required is the default
oval:ssg-test_sshd_requirement_unset:tst:1
true
Following items have been found on the system:
| Var ref | Value |
|---|
| oval:ssg-sshd_required:var:1 | 0 |
package openssh-server is installed
oval:ssg-test_package_openssh-server_installed:tst:1
true
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| openssh-server | x86_64 | (none) | 6.el8_4.2 | 8.0p1 | 0:8.0p1-6.el8_4.2 | 199e2f91fd431d51 | openssh-server-0:8.0p1-6.el8_4.2.x86_64 |
timeout is configured
oval:ssg-test_sshd_idle_timeout:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/ssh/sshd_config | ClientAliveInterval 600
|
Verify if Profile set Value sshd_required as not required
oval:ssg-test_sshd_not_required:tst:1
false
Following items have been found on the system:
| Var ref | Value |
|---|
| oval:ssg-sshd_required:var:1 | 0 |
Verify if Value of sshd_required is the default
oval:ssg-test_sshd_requirement_unset:tst:1
true
Following items have been found on the system:
| Var ref | Value |
|---|
| oval:ssg-sshd_required:var:1 | 0 |
package openssh-server is removed
oval:ssg-test_package_openssh-server_removed:tst:1
false
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| openssh-server | x86_64 | (none) | 6.el8_4.2 | 8.0p1 | 0:8.0p1-6.el8_4.2 | 199e2f91fd431d51 | openssh-server-0:8.0p1-6.el8_4.2.x86_64 |
Verify if Profile set Value sshd_required as required
oval:ssg-test_sshd_required:tst:1
false
Following items have been found on the system:
| Var ref | Value |
|---|
| oval:ssg-sshd_required:var:1 | 0 |
Verify if Value of sshd_required is the default
oval:ssg-test_sshd_requirement_unset:tst:1
true
Following items have been found on the system:
| Var ref | Value |
|---|
| oval:ssg-sshd_required:var:1 | 0 |
package openssh-server is installed
oval:ssg-test_package_openssh-server_installed:tst:1
true
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| openssh-server | x86_64 | (none) | 6.el8_4.2 | 8.0p1 | 0:8.0p1-6.el8_4.2 | 199e2f91fd431d51 | openssh-server-0:8.0p1-6.el8_4.2.x86_64 |
tests the value of ClientAliveCountMax setting in the /etc/ssh/sshd_config file
oval:ssg-test_sshd_set_keepalive:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/ssh/sshd_config | ClientAliveCountMax 0 |
Enable SSH Print Last Logxccdf_org.ssgproject.content_rule_sshd_print_last_log mediumCCE-82281-7
Enable SSH Print Last Log
| Rule ID | xccdf_org.ssgproject.content_rule_sshd_print_last_log |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sshd_print_last_log:def:1 |
| Time | 2021-08-12T02:38:28+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-82281-7 References:
1, 12, 15, 16, DSS05.04, DSS05.10, DSS06.10, CCI-000366, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, AC-9, AC-17(a), CM-6(a), PR.AC-7, SRG-OS-000480-GPOS-00227, RHEL-08-020350, SV-230382r599732_rule |
| Description | When enabled, SSH will display the date and time of the last
successful account logon. To enable LastLog in
SSH, add or correct the following line in the /etc/ssh/sshd_config file:
PrintLastLog yes |
| Rationale | Providing users feedback on when account accesses last occurred facilitates user
recognition and reporting of unauthorized account use. |
OVAL test results detailsVerify if Profile set Value sshd_required as not required
oval:ssg-test_sshd_not_required:tst:1
false
Following items have been found on the system:
| Var ref | Value |
|---|
| oval:ssg-sshd_required:var:1 | 0 |
Verify if Value of sshd_required is the default
oval:ssg-test_sshd_requirement_unset:tst:1
true
Following items have been found on the system:
| Var ref | Value |
|---|
| oval:ssg-sshd_required:var:1 | 0 |
package openssh-server is removed
oval:ssg-test_package_openssh-server_removed:tst:1
false
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| openssh-server | x86_64 | (none) | 6.el8_4.2 | 8.0p1 | 0:8.0p1-6.el8_4.2 | 199e2f91fd431d51 | openssh-server-0:8.0p1-6.el8_4.2.x86_64 |
Verify if Profile set Value sshd_required as required
oval:ssg-test_sshd_required:tst:1
false
Following items have been found on the system:
| Var ref | Value |
|---|
| oval:ssg-sshd_required:var:1 | 0 |
Verify if Value of sshd_required is the default
oval:ssg-test_sshd_requirement_unset:tst:1
true
Following items have been found on the system:
| Var ref | Value |
|---|
| oval:ssg-sshd_required:var:1 | 0 |
package openssh-server is installed
oval:ssg-test_package_openssh-server_installed:tst:1
true
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| openssh-server | x86_64 | (none) | 6.el8_4.2 | 8.0p1 | 0:8.0p1-6.el8_4.2 | 199e2f91fd431d51 | openssh-server-0:8.0p1-6.el8_4.2.x86_64 |
tests the value of PrintLastLog setting in the /etc/ssh/sshd_config file
oval:ssg-test_sshd_print_last_log:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/ssh/sshd_config | PrintLastLog yes |
tests the absence of PrintLastLog setting in the /etc/ssh/sshd_config file
oval:ssg-test_sshd_print_last_log_default_not_overriden:tst:1
false
Following items have been found on the system:
| Path | Content |
|---|
| /etc/ssh/sshd_config | PrintLastLog |
Disable Compression Or Set Compression to delayedxccdf_org.ssgproject.content_rule_sshd_disable_compression mediumCCE-80895-6
Disable Compression Or Set Compression to delayed
| Rule ID | xccdf_org.ssgproject.content_rule_sshd_disable_compression |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sshd_disable_compression:def:1 |
| Time | 2021-08-12T02:38:28+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-80895-6 References:
11, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, 3.1.12, CCI-000366, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 4.3.4.3.2, 4.3.4.3.3, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, AC-17(a), CM-7(a), CM-7(b), CM-6(a), PR.IP-1, SRG-OS-000480-GPOS-00227, RHEL-08-010510, SV-230289r599732_rule, SRG-OS-000480-VMM-002000 |
| Description | Compression is useful for slow network connections over long
distances but can cause performance issues on local LANs. If use of compression
is required, it should be enabled only after a user has authenticated; otherwise,
it should be disabled. To disable compression or delay compression until after
a user has successfully authenticated, add or correct the following line in the
/etc/ssh/sshd_config file:
Compression no |
| Rationale | If compression is allowed in an SSH connection prior to authentication,
vulnerabilities in the compression software could result in compromise of the
system from an unauthenticated connection, potentially with root privileges. |
OVAL test results detailsVerify if Profile set Value sshd_required as not required
oval:ssg-test_sshd_not_required:tst:1
false
Following items have been found on the system:
| Var ref | Value |
|---|
| oval:ssg-sshd_required:var:1 | 0 |
Verify if Value of sshd_required is the default
oval:ssg-test_sshd_requirement_unset:tst:1
true
Following items have been found on the system:
| Var ref | Value |
|---|
| oval:ssg-sshd_required:var:1 | 0 |
package openssh-server is removed
oval:ssg-test_package_openssh-server_removed:tst:1
false
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| openssh-server | x86_64 | (none) | 6.el8_4.2 | 8.0p1 | 0:8.0p1-6.el8_4.2 | 199e2f91fd431d51 | openssh-server-0:8.0p1-6.el8_4.2.x86_64 |
Verify if Profile set Value sshd_required as required
oval:ssg-test_sshd_required:tst:1
false
Following items have been found on the system:
| Var ref | Value |
|---|
| oval:ssg-sshd_required:var:1 | 0 |
Verify if Value of sshd_required is the default
oval:ssg-test_sshd_requirement_unset:tst:1
true
Following items have been found on the system:
| Var ref | Value |
|---|
| oval:ssg-sshd_required:var:1 | 0 |
package openssh-server is installed
oval:ssg-test_package_openssh-server_installed:tst:1
true
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| openssh-server | x86_64 | (none) | 6.el8_4.2 | 8.0p1 | 0:8.0p1-6.el8_4.2 | 199e2f91fd431d51 | openssh-server-0:8.0p1-6.el8_4.2.x86_64 |
tests the value of Compression setting in the /etc/ssh/sshd_config file
oval:ssg-test_sshd_disable_compression:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/ssh/sshd_config | Compression no |
Allow Only SSH Protocol 2xccdf_org.ssgproject.content_rule_sshd_allow_only_protocol2 highCCE-80894-9
Allow Only SSH Protocol 2
| Rule ID | xccdf_org.ssgproject.content_rule_sshd_allow_only_protocol2 |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sshd_allow_only_protocol2:def:1 |
| Time | 2021-08-12T02:38:28+00:00 |
| Severity | high |
| Identifiers and References | Identifiers:
CCE-80894-9 References:
NT007(R1), 5.2.2, 1, 12, 15, 16, 5, 8, 5.5.6, APO13.01, DSS01.04, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, 3.1.13, 3.5.4, CCI-000197, CCI-000366, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.6, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, 0487, 1449, 1506, A.11.2.6, A.13.1.1, A.13.2.1, A.14.1.3, A.18.1.4, A.6.2.1, A.6.2.2, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, CM-6(a), AC-17(a), AC-17(2), IA-5(1)(c), SC-13, MA-4(6), PR.AC-1, PR.AC-3, PR.AC-6, PR.AC-7, PR.PT-4, SRG-OS-000074-GPOS-00042, SRG-OS-000480-GPOS-00227, RHEL-08-040060, SV-230501r599732_rule, SRG-OS-000033-VMM-000140 |
| Description | Only SSH protocol version 2 connections should be
permitted. The default setting in
/etc/ssh/sshd_config is correct, and can be
verified by ensuring that the following
line appears:
Protocol 2 |
| Rationale | SSH protocol version 1 is an insecure implementation of the SSH protocol and
has many well-known vulnerability exploits. Exploits of the SSH daemon could provide
immediate root access to the system. |
| Warnings | warning
As of openssh-server version 7.4 and above, the only protocol
supported is version 2, and line Protocol 2 in
/etc/ssh/sshd_config is not necessary. |
OVAL test results detailsVerify if Profile set Value sshd_required as not required
oval:ssg-test_sshd_not_required:tst:1
false
Following items have been found on the system:
| Var ref | Value |
|---|
| oval:ssg-sshd_required:var:1 | 0 |
Verify if Value of sshd_required is the default
oval:ssg-test_sshd_requirement_unset:tst:1
true
Following items have been found on the system:
| Var ref | Value |
|---|
| oval:ssg-sshd_required:var:1 | 0 |
package openssh-server is removed
oval:ssg-test_package_openssh-server_removed:tst:1
false
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| openssh-server | x86_64 | (none) | 6.el8_4.2 | 8.0p1 | 0:8.0p1-6.el8_4.2 | 199e2f91fd431d51 | openssh-server-0:8.0p1-6.el8_4.2.x86_64 |
Verify if Profile set Value sshd_required as required
oval:ssg-test_sshd_required:tst:1
false
Following items have been found on the system:
| Var ref | Value |
|---|
| oval:ssg-sshd_required:var:1 | 0 |
Verify if Value of sshd_required is the default
oval:ssg-test_sshd_requirement_unset:tst:1
true
Following items have been found on the system:
| Var ref | Value |
|---|
| oval:ssg-sshd_required:var:1 | 0 |
package openssh-server is installed
oval:ssg-test_package_openssh-server_installed:tst:1
true
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| openssh-server | x86_64 | (none) | 6.el8_4.2 | 8.0p1 | 0:8.0p1-6.el8_4.2 | 199e2f91fd431d51 | openssh-server-0:8.0p1-6.el8_4.2.x86_64 |
OpenSSH is version 7.4 or higher
oval:ssg-test_openssh-server_version:tst:1
true
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| openssh-server | x86_64 | (none) | 6.el8_4.2 | 8.0p1 | 0:8.0p1-6.el8_4.2 | 199e2f91fd431d51 | openssh-server-0:8.0p1-6.el8_4.2.x86_64 |
sshd uses protocol 2
oval:ssg-test_sshd_allow_only_protocol2:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_sshd_allow_only_protocol2:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/ssh/sshd_config | ^[\s]*(?i)Protocol[\s]+2[\s]*(?:|(?:#.*))?$ | 1 |
Prevent remote hosts from connecting to the proxy displayxccdf_org.ssgproject.content_rule_sshd_x11_use_localhost mediumCCE-84058-7
Prevent remote hosts from connecting to the proxy display
| Rule ID | xccdf_org.ssgproject.content_rule_sshd_x11_use_localhost |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sshd_x11_use_localhost:def:1 |
| Time | 2021-08-12T02:38:28+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-84058-7 References:
CCI-000366, CM-6(b), SRG-OS-000480-GPOS-00227, RHEL-08-040341, SV-230556r599732_rule |
| Description | The SSH daemon should prevent remote hosts from connecting to the proxy
display. Make sure that the option X11UseLocalhost is set to
yes within the SSH server configuration file. |
| Rationale | When X11 forwarding is enabled, there may be additional exposure to the
server and client displays if the sshd proxy display is configured to listen
on the wildcard address. By default, sshd binds the forwarding server to the
loopback address and sets the hostname part of the DISPLAY
environment variable to localhost. This prevents remote hosts from
connecting to the proxy display. |
OVAL test results detailsVerify if Profile set Value sshd_required as not required
oval:ssg-test_sshd_not_required:tst:1
false
Following items have been found on the system:
| Var ref | Value |
|---|
| oval:ssg-sshd_required:var:1 | 0 |
Verify if Value of sshd_required is the default
oval:ssg-test_sshd_requirement_unset:tst:1
true
Following items have been found on the system:
| Var ref | Value |
|---|
| oval:ssg-sshd_required:var:1 | 0 |
package openssh-server is removed
oval:ssg-test_package_openssh-server_removed:tst:1
false
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| openssh-server | x86_64 | (none) | 6.el8_4.2 | 8.0p1 | 0:8.0p1-6.el8_4.2 | 199e2f91fd431d51 | openssh-server-0:8.0p1-6.el8_4.2.x86_64 |
Verify if Profile set Value sshd_required as required
oval:ssg-test_sshd_required:tst:1
false
Following items have been found on the system:
| Var ref | Value |
|---|
| oval:ssg-sshd_required:var:1 | 0 |
Verify if Value of sshd_required is the default
oval:ssg-test_sshd_requirement_unset:tst:1
true
Following items have been found on the system:
| Var ref | Value |
|---|
| oval:ssg-sshd_required:var:1 | 0 |
package openssh-server is installed
oval:ssg-test_package_openssh-server_installed:tst:1
true
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| openssh-server | x86_64 | (none) | 6.el8_4.2 | 8.0p1 | 0:8.0p1-6.el8_4.2 | 199e2f91fd431d51 | openssh-server-0:8.0p1-6.el8_4.2.x86_64 |
tests the value of X11UseLocalhost setting in the /etc/ssh/sshd_config file
oval:ssg-test_sshd_x11_use_localhost:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/ssh/sshd_config | X11UseLocalhost yes |
tests the absence of X11UseLocalhost setting in the /etc/ssh/sshd_config file
oval:ssg-test_sshd_x11_use_localhost_default_not_overriden:tst:1
false
Following items have been found on the system:
| Path | Content |
|---|
| /etc/ssh/sshd_config | X11UseLocalhost |
Disable Kerberos Authenticationxccdf_org.ssgproject.content_rule_sshd_disable_kerb_auth mediumCCE-80898-0
Disable Kerberos Authentication
| Rule ID | xccdf_org.ssgproject.content_rule_sshd_disable_kerb_auth |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sshd_disable_kerb_auth:def:1 |
| Time | 2021-08-12T02:38:28+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-80898-0 References:
11, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, 3.1.12, CCI-000318, CCI-000368, CCI-001812, CCI-001813, CCI-001814, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 4.3.4.3.2, 4.3.4.3.3, SR 7.6, 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, AC-17(a), CM-7(a), CM-7(b), CM-6(a), PR.IP-1, FTP_ITC_EXT.1, SRG-OS-000364-GPOS-00151, SRG-OS-000480-VMM-002000 |
| Description | Unless needed, SSH should not permit extraneous or unnecessary
authentication mechanisms like Kerberos. To disable Kerberos authentication, add
or correct the following line in the /etc/ssh/sshd_config file:
KerberosAuthentication no |
| Rationale | Kerberos authentication for SSH is often implemented using GSSAPI. If Kerberos
is enabled through SSH, the SSH daemon provides a means of access to the
system's Kerberos implementation. Vulnerabilities in the system's Kerberos
implementations may be subject to exploitation. |
OVAL test results detailsVerify if Profile set Value sshd_required as not required
oval:ssg-test_sshd_not_required:tst:1
false
Following items have been found on the system:
| Var ref | Value |
|---|
| oval:ssg-sshd_required:var:1 | 0 |
Verify if Value of sshd_required is the default
oval:ssg-test_sshd_requirement_unset:tst:1
true
Following items have been found on the system:
| Var ref | Value |
|---|
| oval:ssg-sshd_required:var:1 | 0 |
package openssh-server is removed
oval:ssg-test_package_openssh-server_removed:tst:1
false
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| openssh-server | x86_64 | (none) | 6.el8_4.2 | 8.0p1 | 0:8.0p1-6.el8_4.2 | 199e2f91fd431d51 | openssh-server-0:8.0p1-6.el8_4.2.x86_64 |
Verify if Profile set Value sshd_required as required
oval:ssg-test_sshd_required:tst:1
false
Following items have been found on the system:
| Var ref | Value |
|---|
| oval:ssg-sshd_required:var:1 | 0 |
Verify if Value of sshd_required is the default
oval:ssg-test_sshd_requirement_unset:tst:1
true
Following items have been found on the system:
| Var ref | Value |
|---|
| oval:ssg-sshd_required:var:1 | 0 |
package openssh-server is installed
oval:ssg-test_package_openssh-server_installed:tst:1
true
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| openssh-server | x86_64 | (none) | 6.el8_4.2 | 8.0p1 | 0:8.0p1-6.el8_4.2 | 199e2f91fd431d51 | openssh-server-0:8.0p1-6.el8_4.2.x86_64 |
tests the value of KerberosAuthentication setting in the /etc/ssh/sshd_config file
oval:ssg-test_sshd_disable_kerb_auth:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/ssh/sshd_config | KerberosAuthentication no |
tests the absence of KerberosAuthentication setting in the /etc/ssh/sshd_config file
oval:ssg-test_sshd_disable_kerb_auth_default_not_overriden:tst:1
false
Following items have been found on the system:
| Path | Content |
|---|
| /etc/ssh/sshd_config | KerberosAuthentication |
Force frequent session key renegotiationxccdf_org.ssgproject.content_rule_sshd_rekey_limit mediumCCE-82177-7
Force frequent session key renegotiation
| Rule ID | xccdf_org.ssgproject.content_rule_sshd_rekey_limit |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sshd_rekey_limit:def:1 |
| Time | 2021-08-12T02:38:28+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-82177-7 References:
FCS_SSHS_EXT.1, SRG-OS-000480-GPOS-00227, RHEL-08-040161, SV-230527r599732_rule |
| Description | The RekeyLimit parameter specifies how often
the session key of the is renegotiated, both in terms of
amount of data that may be transmitted and the time
elapsed. To decrease the default limits, put line
RekeyLimit 1G 1h to file /etc/ssh/sshd_config. |
| Rationale | By decreasing the limit based on the amount of data and enabling
time-based limit, effects of potential attacks against
encryption keys are limited. |
OVAL test results detailsVerify if Profile set Value sshd_required as not required
oval:ssg-test_sshd_not_required:tst:1
false
Following items have been found on the system:
| Var ref | Value |
|---|
| oval:ssg-sshd_required:var:1 | 0 |
Verify if Value of sshd_required is the default
oval:ssg-test_sshd_requirement_unset:tst:1
true
Following items have been found on the system:
| Var ref | Value |
|---|
| oval:ssg-sshd_required:var:1 | 0 |
package openssh-server is removed
oval:ssg-test_package_openssh-server_removed:tst:1
false
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| openssh-server | x86_64 | (none) | 6.el8_4.2 | 8.0p1 | 0:8.0p1-6.el8_4.2 | 199e2f91fd431d51 | openssh-server-0:8.0p1-6.el8_4.2.x86_64 |
Verify if Profile set Value sshd_required as required
oval:ssg-test_sshd_required:tst:1
false
Following items have been found on the system:
| Var ref | Value |
|---|
| oval:ssg-sshd_required:var:1 | 0 |
Verify if Value of sshd_required is the default
oval:ssg-test_sshd_requirement_unset:tst:1
true
Following items have been found on the system:
| Var ref | Value |
|---|
| oval:ssg-sshd_required:var:1 | 0 |
package openssh-server is installed
oval:ssg-test_package_openssh-server_installed:tst:1
true
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| openssh-server | x86_64 | (none) | 6.el8_4.2 | 8.0p1 | 0:8.0p1-6.el8_4.2 | 199e2f91fd431d51 | openssh-server-0:8.0p1-6.el8_4.2.x86_64 |
tests the value of RekeyLimit setting in the file
oval:ssg-test_sshd_rekey_limit:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/ssh/sshd_config | RekeyLimit 1G 1h |
Disable X11 Forwardingxccdf_org.ssgproject.content_rule_sshd_disable_x11_forwarding mediumCCE-83360-8
Disable X11 Forwarding
| Rule ID | xccdf_org.ssgproject.content_rule_sshd_disable_x11_forwarding |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sshd_disable_x11_forwarding:def:1 |
| Time | 2021-08-12T02:38:28+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-83360-8 References:
5.2.6, CCI-000366, CM-6(b), SRG-OS-000480-GPOS-00227, RHEL-08-040340, SV-230555r599816_rule |
| Description | The X11Forwarding parameter provides the ability to tunnel X11 traffic
through the connection to enable remote graphic connections.
SSH has the capability to encrypt remote X11 connections when SSH's
X11Forwarding option is enabled.
To disable X11 Forwarding, add or correct the
following line in /etc/ssh/sshd_config:
X11Forwarding no |
| Rationale | Disable X11 forwarding unless there is an operational requirement to use X11
applications directly. There is a small risk that the remote X11 servers of
users who are logged in via SSH with X11 forwarding could be compromised by
other users on the X11 server. Note that even if X11 forwarding is disabled,
users can always install their own forwarders. |
OVAL test results detailsVerify if Profile set Value sshd_required as not required
oval:ssg-test_sshd_not_required:tst:1
false
Following items have been found on the system:
| Var ref | Value |
|---|
| oval:ssg-sshd_required:var:1 | 0 |
Verify if Value of sshd_required is the default
oval:ssg-test_sshd_requirement_unset:tst:1
true
Following items have been found on the system:
| Var ref | Value |
|---|
| oval:ssg-sshd_required:var:1 | 0 |
package openssh-server is removed
oval:ssg-test_package_openssh-server_removed:tst:1
false
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| openssh-server | x86_64 | (none) | 6.el8_4.2 | 8.0p1 | 0:8.0p1-6.el8_4.2 | 199e2f91fd431d51 | openssh-server-0:8.0p1-6.el8_4.2.x86_64 |
Verify if Profile set Value sshd_required as required
oval:ssg-test_sshd_required:tst:1
false
Following items have been found on the system:
| Var ref | Value |
|---|
| oval:ssg-sshd_required:var:1 | 0 |
Verify if Value of sshd_required is the default
oval:ssg-test_sshd_requirement_unset:tst:1
true
Following items have been found on the system:
| Var ref | Value |
|---|
| oval:ssg-sshd_required:var:1 | 0 |
package openssh-server is installed
oval:ssg-test_package_openssh-server_installed:tst:1
true
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| openssh-server | x86_64 | (none) | 6.el8_4.2 | 8.0p1 | 0:8.0p1-6.el8_4.2 | 199e2f91fd431d51 | openssh-server-0:8.0p1-6.el8_4.2.x86_64 |
tests the value of X11Forwarding setting in the /etc/ssh/sshd_config file
oval:ssg-test_sshd_disable_x11_forwarding:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/ssh/sshd_config | X11Forwarding no |
tests the absence of X11Forwarding setting in the /etc/ssh/sshd_config file
oval:ssg-test_sshd_disable_x11_forwarding_default_not_overriden:tst:1
false
Following items have been found on the system:
| Path | Content |
|---|
| /etc/ssh/sshd_config | X11Forwarding |
Disable GSSAPI Authenticationxccdf_org.ssgproject.content_rule_sshd_disable_gssapi_auth mediumCCE-80897-2
Disable GSSAPI Authentication
| Rule ID | xccdf_org.ssgproject.content_rule_sshd_disable_gssapi_auth |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sshd_disable_gssapi_auth:def:1 |
| Time | 2021-08-12T02:38:28+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-80897-2 References:
11, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, 3.1.12, CCI-000318, CCI-000368, CCI-001812, CCI-001813, CCI-001814, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 4.3.4.3.2, 4.3.4.3.3, SR 7.6, 0418, 1055, 1402, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, CM-7(a), CM-7(b), CM-6(a), AC-17(a), PR.IP-1, FTP_ITC_EXT.1, SRG-OS-000364-GPOS-00151, RHEL-08-010521, SV-230291r599732_rule, SRG-OS-000480-VMM-002000 |
| Description | Unless needed, SSH should not permit extraneous or unnecessary
authentication mechanisms like GSSAPI. To disable GSSAPI authentication, add or
correct the following line in the /etc/ssh/sshd_config file:
GSSAPIAuthentication no |
| Rationale | GSSAPI authentication is used to provide additional authentication mechanisms to
applications. Allowing GSSAPI authentication through SSH exposes the system's
GSSAPI to remote hosts, increasing the attack surface of the system. |
OVAL test results detailsVerify if Profile set Value sshd_required as not required
oval:ssg-test_sshd_not_required:tst:1
false
Following items have been found on the system:
| Var ref | Value |
|---|
| oval:ssg-sshd_required:var:1 | 0 |
Verify if Value of sshd_required is the default
oval:ssg-test_sshd_requirement_unset:tst:1
true
Following items have been found on the system:
| Var ref | Value |
|---|
| oval:ssg-sshd_required:var:1 | 0 |
package openssh-server is removed
oval:ssg-test_package_openssh-server_removed:tst:1
false
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| openssh-server | x86_64 | (none) | 6.el8_4.2 | 8.0p1 | 0:8.0p1-6.el8_4.2 | 199e2f91fd431d51 | openssh-server-0:8.0p1-6.el8_4.2.x86_64 |
Verify if Profile set Value sshd_required as required
oval:ssg-test_sshd_required:tst:1
false
Following items have been found on the system:
| Var ref | Value |
|---|
| oval:ssg-sshd_required:var:1 | 0 |
Verify if Value of sshd_required is the default
oval:ssg-test_sshd_requirement_unset:tst:1
true
Following items have been found on the system:
| Var ref | Value |
|---|
| oval:ssg-sshd_required:var:1 | 0 |
package openssh-server is installed
oval:ssg-test_package_openssh-server_installed:tst:1
true
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| openssh-server | x86_64 | (none) | 6.el8_4.2 | 8.0p1 | 0:8.0p1-6.el8_4.2 | 199e2f91fd431d51 | openssh-server-0:8.0p1-6.el8_4.2.x86_64 |
tests the value of GSSAPIAuthentication setting in the /etc/ssh/sshd_config file
oval:ssg-test_sshd_disable_gssapi_auth:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/ssh/sshd_config | GSSAPIAuthentication no |
tests the absence of GSSAPIAuthentication setting in the /etc/ssh/sshd_config file
oval:ssg-test_sshd_disable_gssapi_auth_default_not_overriden:tst:1
false
Following items have been found on the system:
| Path | Content |
|---|
| /etc/ssh/sshd_config | GSSAPIAuthentication |
Disable SSH Access via Empty Passwordsxccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords highCCE-80896-4
Disable SSH Access via Empty Passwords
| Rule ID | xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sshd_disable_empty_passwords:def:1 |
| Time | 2021-08-12T02:38:28+00:00 |
| Severity | high |
| Identifiers and References | Identifiers:
CCE-80896-4 References:
NT007(R17), 5.2.11, 11, 12, 13, 14, 15, 16, 18, 3, 5, 9, 5.5.6, APO01.06, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.03, DSS06.06, 3.1.1, 3.1.5, CCI-000366, CCI-000766, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.1, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, AC-17(a), CM-7(a), CM-7(b), CM-6(a), PR.AC-4, PR.AC-6, PR.DS-5, PR.IP-1, PR.PT-3, FIA_UAU.1, SRG-OS-000106-GPOS-00053, SRG-OS-000480-GPOS-00229, SRG-OS-000480-VMM-002000 |
| Description | To explicitly disallow SSH login from accounts with
empty passwords, add or correct the following line in /etc/ssh/sshd_config:
PermitEmptyPasswords no
Any accounts with empty passwords should be disabled immediately, and PAM configuration
should prevent users from being able to assign themselves empty passwords. |
| Rationale | Configuring this setting for the SSH daemon provides additional assurance
that remote login via SSH will require a password, even in the event of
misconfiguration elsewhere. |
OVAL test results detailsVerify if Profile set Value sshd_required as not required
oval:ssg-test_sshd_not_required:tst:1
false
Following items have been found on the system:
| Var ref | Value |
|---|
| oval:ssg-sshd_required:var:1 | 0 |
Verify if Value of sshd_required is the default
oval:ssg-test_sshd_requirement_unset:tst:1
true
Following items have been found on the system:
| Var ref | Value |
|---|
| oval:ssg-sshd_required:var:1 | 0 |
package openssh-server is removed
oval:ssg-test_package_openssh-server_removed:tst:1
false
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| openssh-server | x86_64 | (none) | 6.el8_4.2 | 8.0p1 | 0:8.0p1-6.el8_4.2 | 199e2f91fd431d51 | openssh-server-0:8.0p1-6.el8_4.2.x86_64 |
Verify if Profile set Value sshd_required as required
oval:ssg-test_sshd_required:tst:1
false
Following items have been found on the system:
| Var ref | Value |
|---|
| oval:ssg-sshd_required:var:1 | 0 |
Verify if Value of sshd_required is the default
oval:ssg-test_sshd_requirement_unset:tst:1
true
Following items have been found on the system:
| Var ref | Value |
|---|
| oval:ssg-sshd_required:var:1 | 0 |
package openssh-server is installed
oval:ssg-test_package_openssh-server_installed:tst:1
true
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| openssh-server | x86_64 | (none) | 6.el8_4.2 | 8.0p1 | 0:8.0p1-6.el8_4.2 | 199e2f91fd431d51 | openssh-server-0:8.0p1-6.el8_4.2.x86_64 |
tests the value of PermitEmptyPasswords setting in the /etc/ssh/sshd_config file
oval:ssg-test_sshd_disable_empty_passwords:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_sshd_disable_empty_passwords:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/ssh/sshd_config | ^[ \t]*(?i)PermitEmptyPasswords(?-i)[ \t]+(.+?)[ \t]*(?:$|#) | 1 |
tests the absence of PermitEmptyPasswords setting in the /etc/ssh/sshd_config file
oval:ssg-test_sshd_disable_empty_passwords_default_not_overriden:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_sshd_disable_empty_passwords_default_not_overriden:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/ssh/sshd_config | ^[ \t]*(?i)PermitEmptyPasswords(?-i)[ \t]+ | 1 |
Install the OpenSSH Server Packagexccdf_org.ssgproject.content_rule_package_openssh-server_installed mediumCCE-83303-8
Install the OpenSSH Server Package
| Rule ID | xccdf_org.ssgproject.content_rule_package_openssh-server_installed |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-package_openssh-server_installed:def:1 |
| Time | 2021-08-12T02:38:27+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-83303-8 References:
13, 14, APO01.06, DSS05.02, DSS05.04, DSS05.07, DSS06.02, DSS06.06, CCI-002418, CCI-002420, CCI-002421, CCI-002422, SR 3.1, SR 3.8, SR 4.1, SR 4.2, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), PR.DS-2, PR.DS-5, FIA_UAU.5, FTP_ITC_EXT.1, SRG-OS-000423-GPOS-00187, SRG-OS-000424-GPOS-00188, SRG-OS-000425-GPOS-00189, SRG-OS-000426-GPOS-00190 |
| Description | The openssh-server package should be installed.
The openssh-server package can be installed with the following command:
$ sudo yum install openssh-server |
| Rationale | Without protection of the transmitted information, confidentiality, and
integrity may be compromised because unprotected communications can be
intercepted and either read or altered. |
OVAL test results detailspackage openssh-server is installed
oval:ssg-test_package_openssh-server_installed:tst:1
true
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| openssh-server | x86_64 | (none) | 6.el8_4.2 | 8.0p1 | 0:8.0p1-6.el8_4.2 | 199e2f91fd431d51 | openssh-server-0:8.0p1-6.el8_4.2.x86_64 |
Enable the OpenSSH Servicexccdf_org.ssgproject.content_rule_service_sshd_enabled mediumCCE-82426-8
Enable the OpenSSH Service
| Rule ID | xccdf_org.ssgproject.content_rule_service_sshd_enabled |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-service_sshd_enabled:def:1 |
| Time | 2021-08-12T02:38:28+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-82426-8 References:
13, 14, APO01.06, DSS05.02, DSS05.04, DSS05.07, DSS06.02, DSS06.06, 3.1.13, 3.5.4, 3.13.8, CCI-002418, CCI-002420, CCI-002421, CCI-002422, SR 3.1, SR 3.8, SR 4.1, SR 4.2, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), SC-8, SC-8(1), SC-8(2), SC-8(3), SC-8(4), PR.DS-2, PR.DS-5, SRG-OS-000423-GPOS-00187, SRG-OS-000423-GPOS-00188, SRG-OS-000423-GPOS-00189, SRG-OS-000423-GPOS-00190, RHEL-08-040160, SV-230526r599732_rule |
| Description | The SSH server service, sshd, is commonly needed.
The sshd service can be enabled with the following command:
$ sudo systemctl enable sshd.service |
| Rationale | Without protection of the transmitted information, confidentiality, and
integrity may be compromised because unprotected communications can be
intercepted and either read or altered.
This checklist item applies to both internal and external networks and all types
of information system components from which information can be transmitted (e.g., servers,
mobile devices, notebook computers, printers, copiers, scanners, etc). Communication paths
outside the physical protection of a controlled boundary are exposed to the possibility
of interception and modification. |
OVAL test results detailspackage openssh-server is installed
oval:ssg-test_service_sshd_package_openssh-server_installed:tst:1
true
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| openssh-server | x86_64 | (none) | 6.el8_4.2 | 8.0p1 | 0:8.0p1-6.el8_4.2 | 199e2f91fd431d51 | openssh-server-0:8.0p1-6.el8_4.2.x86_64 |
Test that the sshd service is running
oval:ssg-test_service_running_sshd:tst:1
true
Following items have been found on the system:
| Unit | Property | Value |
|---|
| sshd.service | ActiveState | active |
systemd test
oval:ssg-test_multi_user_wants_sshd:tst:1
true
Following items have been found on the system:
| Unit | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency |
|---|
| multi-user.target | basic.target | sysinit.target | selinux-autorelabel-mark.service | systemd-ask-password-console.path | systemd-journald.service | sys-fs-fuse-connections.mount | systemd-udevd.service | systemd-binfmt.service | dev-hugepages.mount | loadmodules.service | swap.target | dev-mapper-vg0\x2dlv_swap.swap | systemd-journal-flush.service | systemd-machine-id-commit.service | systemd-update-done.service | sys-kernel-config.mount | dracut-shutdown.service | rngd.service | systemd-sysusers.service | lvm2-lvmpolld.socket | kmod-static-nodes.service | proc-sys-fs-binfmt_misc.automount | local-fs.target | -.mount | home.mount | tmp.mount | var-log-audit.mount | opt.mount | systemd-remount-fs.service | root.mount | var-log.mount | var-tmp.mount | var.mount | systemd-random-seed.service | systemd-update-utmp.service | dev-mqueue.mount | lvm2-monitor.service | import-state.service | systemd-firstboot.service | systemd-tmpfiles-setup-dev.service | systemd-tmpfiles-setup.service | systemd-sysctl.service | cryptsetup.target | systemd-modules-load.service | systemd-journal-catalog-update.service | nis-domainname.service | systemd-udev-trigger.service | ldconfig.service | sys-kernel-debug.mount | systemd-hwdb-update.service | paths.target | sockets.target | systemd-journald.socket | pcscd.socket | systemd-coredump.socket | dm-event.socket | systemd-journald-dev-log.socket | systemd-udevd-kernel.socket | systemd-initctl.socket | dbus.socket | systemd-udevd-control.socket | sssd-kcm.socket | timers.target | unbound-anchor.timer | systemd-tmpfiles-clean.timer | microcode.service | usbguard.service | slices.target | system.slice | -.slice | systemd-logind.service | systemd-update-utmp-runlevel.service | amazon-ssm-agent.service | getty.target | getty@tty1.service | serial-getty@ttyS0.service | remote-fs.target | sshd.service | sssd.service | dnf-makecache.timer | cloud-init.target | cloud-config.service | cloud-init-local.service | cloud-final.service | cloud-init.service | fapolicyd.service | firewalld.service | systemd-ask-password-wall.path | NetworkManager.service | chronyd.service | rsyslog.service | crond.service | vmtoolsd.service | systemd-user-sessions.service | irqbalance.service | dbus.service | auditd.service |
systemd test
oval:ssg-test_multi_user_wants_sshd_socket:tst:1
false
Following items have been found on the system:
| Unit | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency |
|---|
| multi-user.target | basic.target | sysinit.target | selinux-autorelabel-mark.service | systemd-ask-password-console.path | systemd-journald.service | sys-fs-fuse-connections.mount | systemd-udevd.service | systemd-binfmt.service | dev-hugepages.mount | loadmodules.service | swap.target | dev-mapper-vg0\x2dlv_swap.swap | systemd-journal-flush.service | systemd-machine-id-commit.service | systemd-update-done.service | sys-kernel-config.mount | dracut-shutdown.service | rngd.service | systemd-sysusers.service | lvm2-lvmpolld.socket | kmod-static-nodes.service | proc-sys-fs-binfmt_misc.automount | local-fs.target | -.mount | home.mount | tmp.mount | var-log-audit.mount | opt.mount | systemd-remount-fs.service | root.mount | var-log.mount | var-tmp.mount | var.mount | systemd-random-seed.service | systemd-update-utmp.service | dev-mqueue.mount | lvm2-monitor.service | import-state.service | systemd-firstboot.service | systemd-tmpfiles-setup-dev.service | systemd-tmpfiles-setup.service | systemd-sysctl.service | cryptsetup.target | systemd-modules-load.service | systemd-journal-catalog-update.service | nis-domainname.service | systemd-udev-trigger.service | ldconfig.service | sys-kernel-debug.mount | systemd-hwdb-update.service | paths.target | sockets.target | systemd-journald.socket | pcscd.socket | systemd-coredump.socket | dm-event.socket | systemd-journald-dev-log.socket | systemd-udevd-kernel.socket | systemd-initctl.socket | dbus.socket | systemd-udevd-control.socket | sssd-kcm.socket | timers.target | unbound-anchor.timer | systemd-tmpfiles-clean.timer | microcode.service | usbguard.service | slices.target | system.slice | -.slice | systemd-logind.service | systemd-update-utmp-runlevel.service | amazon-ssm-agent.service | getty.target | getty@tty1.service | serial-getty@ttyS0.service | remote-fs.target | sshd.service | sssd.service | dnf-makecache.timer | cloud-init.target | cloud-config.service | cloud-init-local.service | cloud-final.service | cloud-init.service | fapolicyd.service | firewalld.service | systemd-ask-password-wall.path | NetworkManager.service | chronyd.service | rsyslog.service | crond.service | vmtoolsd.service | systemd-user-sessions.service | irqbalance.service | dbus.service | auditd.service |
Verify Permissions on SSH Server Public *.pub Key Filesxccdf_org.ssgproject.content_rule_file_permissions_sshd_pub_key mediumCCE-82428-4
Verify Permissions on SSH Server Public *.pub Key Files
| Rule ID | xccdf_org.ssgproject.content_rule_file_permissions_sshd_pub_key |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-file_permissions_sshd_pub_key:def:1 |
| Time | 2021-08-12T02:38:28+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-82428-4 References:
5.2.4, 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 3.1.13, 3.13.10, CCI-000366, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, AC-17(a), CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, SRG-OS-000480-GPOS-00227, RHEL-08-010480, SV-230286r599732_rule |
| Description | To properly set the permissions of /etc/ssh/*.pub, run the command: $ sudo chmod 0644 /etc/ssh/*.pub |
| Rationale | If a public host key file is modified by an unauthorized user, the SSH service
may be compromised. |
OVAL test results detailsTesting mode of /etc/ssh/
oval:ssg-test_file_permissions_sshd_pub_key:tst:1
true
Following items have been found on the system:
| Path | Type | UID | GID | Size (B) | Permissions |
|---|
| /etc/ssh/ssh_host_ecdsa_key.pub | regular | 0 | 0 | 162 | rw-r--r-- |
| /etc/ssh/ssh_host_rsa_key.pub | regular | 0 | 0 | 554 | rw-r--r-- |
Verify Permissions on SSH Server Private *_key Key Filesxccdf_org.ssgproject.content_rule_file_permissions_sshd_private_key mediumCCE-82424-3
Verify Permissions on SSH Server Private *_key Key Files
| Rule ID | xccdf_org.ssgproject.content_rule_file_permissions_sshd_private_key |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-file_permissions_sshd_private_key:def:1 |
| Time | 2021-08-12T02:38:28+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-82424-3 References:
5.2.3, 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 3.1.13, 3.13.10, CCI-000366, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, AC-17(a), CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, SRG-OS-000480-GPOS-00227, RHEL-08-010490, SV-230287r599732_rule |
| Description |
To properly set the permissions of /etc/ssh/*_key, run the command:
$ sudo chmod 0640 /etc/ssh/*_key |
| Rationale | If an unauthorized user obtains the private SSH host key file, the host could be
impersonated. |
OVAL test results detailsTesting mode of /etc/ssh/
oval:ssg-test_file_permissions_sshd_private_key:tst:1
true
Following items have been found on the system:
| Path | Type | UID | GID | Size (B) | Permissions |
|---|
| /etc/ssh/ssh_host_ecdsa_key | regular | 0 | 994 | 492 | rw-r----- |
| /etc/ssh/ssh_host_rsa_key | regular | 0 | 994 | 2578 | rw-r----- |
Install fapolicyd Packagexccdf_org.ssgproject.content_rule_package_fapolicyd_installed mediumCCE-82191-8
Install fapolicyd Package
| Rule ID | xccdf_org.ssgproject.content_rule_package_fapolicyd_installed |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-package_fapolicyd_installed:def:1 |
| Time | 2021-08-12T02:38:28+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-82191-8 References:
CM-6(a), SI-4(22), SRG-OS-000370-GPOS-00155 |
| Description | The fapolicyd package can be installed with the following command:
$ sudo yum install fapolicyd |
| Rationale | fapolicyd (File Access Policy Daemon)
implements application whitelisting to decide file access rights.
|
OVAL test results detailspackage fapolicyd is installed
oval:ssg-test_package_fapolicyd_installed:tst:1
true
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| fapolicyd | x86_64 | (none) | 6.el8 | 1.0.2 | 0:1.0.2-6.el8 | 199e2f91fd431d51 | fapolicyd-0:1.0.2-6.el8.x86_64 |
Enable the File Access Policy Servicexccdf_org.ssgproject.content_rule_service_fapolicyd_enabled mediumCCE-82249-4
Enable the File Access Policy Service
| Rule ID | xccdf_org.ssgproject.content_rule_service_fapolicyd_enabled |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-service_fapolicyd_enabled:def:1 |
| Time | 2021-08-12T02:38:28+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-82249-4 References:
CM-6(a), SI-4(22), FMT_SMF_EXT.1, SRG-OS-000370-GPOS-00155, RHEL-08-040135, SV-230523r599732_rule |
| Description | The File Access Policy service should be enabled.
The fapolicyd service can be enabled with the following command:
$ sudo systemctl enable fapolicyd.service |
| Rationale | The fapolicyd service (File Access Policy Daemon)
implements application whitelisting to decide file access rights. |
OVAL test results detailspackage fapolicyd is installed
oval:ssg-test_service_fapolicyd_package_fapolicyd_installed:tst:1
true
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| fapolicyd | x86_64 | (none) | 6.el8 | 1.0.2 | 0:1.0.2-6.el8 | 199e2f91fd431d51 | fapolicyd-0:1.0.2-6.el8.x86_64 |
Test that the fapolicyd service is running
oval:ssg-test_service_running_fapolicyd:tst:1
true
Following items have been found on the system:
| Unit | Property | Value |
|---|
| fapolicyd.service | ActiveState | active |
systemd test
oval:ssg-test_multi_user_wants_fapolicyd:tst:1
true
Following items have been found on the system:
| Unit | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency |
|---|
| multi-user.target | basic.target | sysinit.target | selinux-autorelabel-mark.service | systemd-ask-password-console.path | systemd-journald.service | sys-fs-fuse-connections.mount | systemd-udevd.service | systemd-binfmt.service | dev-hugepages.mount | loadmodules.service | swap.target | dev-mapper-vg0\x2dlv_swap.swap | systemd-journal-flush.service | systemd-machine-id-commit.service | systemd-update-done.service | sys-kernel-config.mount | dracut-shutdown.service | rngd.service | systemd-sysusers.service | lvm2-lvmpolld.socket | kmod-static-nodes.service | proc-sys-fs-binfmt_misc.automount | local-fs.target | -.mount | home.mount | tmp.mount | var-log-audit.mount | opt.mount | systemd-remount-fs.service | root.mount | var-log.mount | var-tmp.mount | var.mount | systemd-random-seed.service | systemd-update-utmp.service | dev-mqueue.mount | lvm2-monitor.service | import-state.service | systemd-firstboot.service | systemd-tmpfiles-setup-dev.service | systemd-tmpfiles-setup.service | systemd-sysctl.service | cryptsetup.target | systemd-modules-load.service | systemd-journal-catalog-update.service | nis-domainname.service | systemd-udev-trigger.service | ldconfig.service | sys-kernel-debug.mount | systemd-hwdb-update.service | paths.target | sockets.target | systemd-journald.socket | pcscd.socket | systemd-coredump.socket | dm-event.socket | systemd-journald-dev-log.socket | systemd-udevd-kernel.socket | systemd-initctl.socket | dbus.socket | systemd-udevd-control.socket | sssd-kcm.socket | timers.target | unbound-anchor.timer | systemd-tmpfiles-clean.timer | microcode.service | usbguard.service | slices.target | system.slice | -.slice | systemd-logind.service | systemd-update-utmp-runlevel.service | amazon-ssm-agent.service | getty.target | getty@tty1.service | serial-getty@ttyS0.service | remote-fs.target | sshd.service | sssd.service | dnf-makecache.timer | cloud-init.target | cloud-config.service | cloud-init-local.service | cloud-final.service | cloud-init.service | fapolicyd.service | firewalld.service | systemd-ask-password-wall.path | NetworkManager.service | chronyd.service | rsyslog.service | crond.service | vmtoolsd.service | systemd-user-sessions.service | irqbalance.service | dbus.service | auditd.service |
systemd test
oval:ssg-test_multi_user_wants_fapolicyd_socket:tst:1
false
Following items have been found on the system:
| Unit | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency |
|---|
| multi-user.target | basic.target | sysinit.target | selinux-autorelabel-mark.service | systemd-ask-password-console.path | systemd-journald.service | sys-fs-fuse-connections.mount | systemd-udevd.service | systemd-binfmt.service | dev-hugepages.mount | loadmodules.service | swap.target | dev-mapper-vg0\x2dlv_swap.swap | systemd-journal-flush.service | systemd-machine-id-commit.service | systemd-update-done.service | sys-kernel-config.mount | dracut-shutdown.service | rngd.service | systemd-sysusers.service | lvm2-lvmpolld.socket | kmod-static-nodes.service | proc-sys-fs-binfmt_misc.automount | local-fs.target | -.mount | home.mount | tmp.mount | var-log-audit.mount | opt.mount | systemd-remount-fs.service | root.mount | var-log.mount | var-tmp.mount | var.mount | systemd-random-seed.service | systemd-update-utmp.service | dev-mqueue.mount | lvm2-monitor.service | import-state.service | systemd-firstboot.service | systemd-tmpfiles-setup-dev.service | systemd-tmpfiles-setup.service | systemd-sysctl.service | cryptsetup.target | systemd-modules-load.service | systemd-journal-catalog-update.service | nis-domainname.service | systemd-udev-trigger.service | ldconfig.service | sys-kernel-debug.mount | systemd-hwdb-update.service | paths.target | sockets.target | systemd-journald.socket | pcscd.socket | systemd-coredump.socket | dm-event.socket | systemd-journald-dev-log.socket | systemd-udevd-kernel.socket | systemd-initctl.socket | dbus.socket | systemd-udevd-control.socket | sssd-kcm.socket | timers.target | unbound-anchor.timer | systemd-tmpfiles-clean.timer | microcode.service | usbguard.service | slices.target | system.slice | -.slice | systemd-logind.service | systemd-update-utmp-runlevel.service | amazon-ssm-agent.service | getty.target | getty@tty1.service | serial-getty@ttyS0.service | remote-fs.target | sshd.service | sssd.service | dnf-makecache.timer | cloud-init.target | cloud-config.service | cloud-init-local.service | cloud-final.service | cloud-init.service | fapolicyd.service | firewalld.service | systemd-ask-password-wall.path | NetworkManager.service | chronyd.service | rsyslog.service | crond.service | vmtoolsd.service | systemd-user-sessions.service | irqbalance.service | dbus.service | auditd.service |
Disable chrony daemon from acting as serverxccdf_org.ssgproject.content_rule_chronyd_client_only lowCCE-82988-7
Disable chrony daemon from acting as server
| Rule ID | xccdf_org.ssgproject.content_rule_chronyd_client_only |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-chronyd_client_only:def:1 |
| Time | 2021-08-12T02:38:28+00:00 |
| Severity | low |
| Identifiers and References | Identifiers:
CCE-82988-7 References:
FMT_SMF_EXT.1, SRG-OS-000096-GPOS-00050, RHEL-08-030741, SV-230485r599732_rule |
| Description | The port option in /etc/chrony.conf can be set to
0 to make chrony daemon to never open any listening port
for server operation and to operate strictly in a client-only mode. |
| Rationale | Minimizing the exposure of the server functionality of the chrony
daemon diminishes the attack surface. |
OVAL test results detailspackage chrony is installed
oval:ssg-test_service_chronyd_package_chrony_installed:tst:1
true
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| chrony | x86_64 | (none) | 2.el8 | 3.5 | 0:3.5-2.el8 | 199e2f91fd431d51 | chrony-0:3.5-2.el8.x86_64 |
Test that the chronyd service is running
oval:ssg-test_service_running_chronyd:tst:1
true
Following items have been found on the system:
| Unit | Property | Value |
|---|
| chronyd.service | ActiveState | active |
systemd test
oval:ssg-test_multi_user_wants_chronyd:tst:1
true
Following items have been found on the system:
| Unit | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency |
|---|
| multi-user.target | basic.target | sysinit.target | selinux-autorelabel-mark.service | systemd-ask-password-console.path | systemd-journald.service | sys-fs-fuse-connections.mount | systemd-udevd.service | systemd-binfmt.service | dev-hugepages.mount | loadmodules.service | swap.target | dev-mapper-vg0\x2dlv_swap.swap | systemd-journal-flush.service | systemd-machine-id-commit.service | systemd-update-done.service | sys-kernel-config.mount | dracut-shutdown.service | rngd.service | systemd-sysusers.service | lvm2-lvmpolld.socket | kmod-static-nodes.service | proc-sys-fs-binfmt_misc.automount | local-fs.target | -.mount | home.mount | tmp.mount | var-log-audit.mount | opt.mount | systemd-remount-fs.service | root.mount | var-log.mount | var-tmp.mount | var.mount | systemd-random-seed.service | systemd-update-utmp.service | dev-mqueue.mount | lvm2-monitor.service | import-state.service | systemd-firstboot.service | systemd-tmpfiles-setup-dev.service | systemd-tmpfiles-setup.service | systemd-sysctl.service | cryptsetup.target | systemd-modules-load.service | systemd-journal-catalog-update.service | nis-domainname.service | systemd-udev-trigger.service | ldconfig.service | sys-kernel-debug.mount | systemd-hwdb-update.service | paths.target | sockets.target | systemd-journald.socket | pcscd.socket | systemd-coredump.socket | dm-event.socket | systemd-journald-dev-log.socket | systemd-udevd-kernel.socket | systemd-initctl.socket | dbus.socket | systemd-udevd-control.socket | sssd-kcm.socket | timers.target | unbound-anchor.timer | systemd-tmpfiles-clean.timer | microcode.service | usbguard.service | slices.target | system.slice | -.slice | systemd-logind.service | systemd-update-utmp-runlevel.service | amazon-ssm-agent.service | getty.target | getty@tty1.service | serial-getty@ttyS0.service | remote-fs.target | sshd.service | sssd.service | dnf-makecache.timer | cloud-init.target | cloud-config.service | cloud-init-local.service | cloud-final.service | cloud-init.service | fapolicyd.service | firewalld.service | systemd-ask-password-wall.path | NetworkManager.service | chronyd.service | rsyslog.service | crond.service | vmtoolsd.service | systemd-user-sessions.service | irqbalance.service | dbus.service | auditd.service |
systemd test
oval:ssg-test_multi_user_wants_chronyd_socket:tst:1
false
Following items have been found on the system:
| Unit | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency |
|---|
| multi-user.target | basic.target | sysinit.target | selinux-autorelabel-mark.service | systemd-ask-password-console.path | systemd-journald.service | sys-fs-fuse-connections.mount | systemd-udevd.service | systemd-binfmt.service | dev-hugepages.mount | loadmodules.service | swap.target | dev-mapper-vg0\x2dlv_swap.swap | systemd-journal-flush.service | systemd-machine-id-commit.service | systemd-update-done.service | sys-kernel-config.mount | dracut-shutdown.service | rngd.service | systemd-sysusers.service | lvm2-lvmpolld.socket | kmod-static-nodes.service | proc-sys-fs-binfmt_misc.automount | local-fs.target | -.mount | home.mount | tmp.mount | var-log-audit.mount | opt.mount | systemd-remount-fs.service | root.mount | var-log.mount | var-tmp.mount | var.mount | systemd-random-seed.service | systemd-update-utmp.service | dev-mqueue.mount | lvm2-monitor.service | import-state.service | systemd-firstboot.service | systemd-tmpfiles-setup-dev.service | systemd-tmpfiles-setup.service | systemd-sysctl.service | cryptsetup.target | systemd-modules-load.service | systemd-journal-catalog-update.service | nis-domainname.service | systemd-udev-trigger.service | ldconfig.service | sys-kernel-debug.mount | systemd-hwdb-update.service | paths.target | sockets.target | systemd-journald.socket | pcscd.socket | systemd-coredump.socket | dm-event.socket | systemd-journald-dev-log.socket | systemd-udevd-kernel.socket | systemd-initctl.socket | dbus.socket | systemd-udevd-control.socket | sssd-kcm.socket | timers.target | unbound-anchor.timer | systemd-tmpfiles-clean.timer | microcode.service | usbguard.service | slices.target | system.slice | -.slice | systemd-logind.service | systemd-update-utmp-runlevel.service | amazon-ssm-agent.service | getty.target | getty@tty1.service | serial-getty@ttyS0.service | remote-fs.target | sshd.service | sssd.service | dnf-makecache.timer | cloud-init.target | cloud-config.service | cloud-init-local.service | cloud-final.service | cloud-init.service | fapolicyd.service | firewalld.service | systemd-ask-password-wall.path | NetworkManager.service | chronyd.service | rsyslog.service | crond.service | vmtoolsd.service | systemd-user-sessions.service | irqbalance.service | dbus.service | auditd.service |
check if port is 0 in /etc/chrony.conf
oval:ssg-test_chronyd_client_only:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/chrony.conf | port 0 |
Disable network management of chrony daemonxccdf_org.ssgproject.content_rule_chronyd_no_chronyc_network lowCCE-82840-0
Disable network management of chrony daemon
| Rule ID | xccdf_org.ssgproject.content_rule_chronyd_no_chronyc_network |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-chronyd_no_chronyc_network:def:1 |
| Time | 2021-08-12T02:38:28+00:00 |
| Severity | low |
| Identifiers and References | Identifiers:
CCE-82840-0 References:
FMT_SMF_EXT.1, SRG-OS-000096-GPOS-00050, RHEL-08-030742, SV-230486r599732_rule |
| Description | The cmdport option in /etc/chrony.conf can be set to
0 to stop chrony daemon from listening on the UDP port 323
for management connections made by chronyc. |
| Rationale | Not exposing the management interface of the chrony daemon on
the network diminishes the attack space. |
OVAL test results detailspackage chrony is installed
oval:ssg-test_service_chronyd_package_chrony_installed:tst:1
true
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| chrony | x86_64 | (none) | 2.el8 | 3.5 | 0:3.5-2.el8 | 199e2f91fd431d51 | chrony-0:3.5-2.el8.x86_64 |
Test that the chronyd service is running
oval:ssg-test_service_running_chronyd:tst:1
true
Following items have been found on the system:
| Unit | Property | Value |
|---|
| chronyd.service | ActiveState | active |
systemd test
oval:ssg-test_multi_user_wants_chronyd:tst:1
true
Following items have been found on the system:
| Unit | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency |
|---|
| multi-user.target | basic.target | sysinit.target | selinux-autorelabel-mark.service | systemd-ask-password-console.path | systemd-journald.service | sys-fs-fuse-connections.mount | systemd-udevd.service | systemd-binfmt.service | dev-hugepages.mount | loadmodules.service | swap.target | dev-mapper-vg0\x2dlv_swap.swap | systemd-journal-flush.service | systemd-machine-id-commit.service | systemd-update-done.service | sys-kernel-config.mount | dracut-shutdown.service | rngd.service | systemd-sysusers.service | lvm2-lvmpolld.socket | kmod-static-nodes.service | proc-sys-fs-binfmt_misc.automount | local-fs.target | -.mount | home.mount | tmp.mount | var-log-audit.mount | opt.mount | systemd-remount-fs.service | root.mount | var-log.mount | var-tmp.mount | var.mount | systemd-random-seed.service | systemd-update-utmp.service | dev-mqueue.mount | lvm2-monitor.service | import-state.service | systemd-firstboot.service | systemd-tmpfiles-setup-dev.service | systemd-tmpfiles-setup.service | systemd-sysctl.service | cryptsetup.target | systemd-modules-load.service | systemd-journal-catalog-update.service | nis-domainname.service | systemd-udev-trigger.service | ldconfig.service | sys-kernel-debug.mount | systemd-hwdb-update.service | paths.target | sockets.target | systemd-journald.socket | pcscd.socket | systemd-coredump.socket | dm-event.socket | systemd-journald-dev-log.socket | systemd-udevd-kernel.socket | systemd-initctl.socket | dbus.socket | systemd-udevd-control.socket | sssd-kcm.socket | timers.target | unbound-anchor.timer | systemd-tmpfiles-clean.timer | microcode.service | usbguard.service | slices.target | system.slice | -.slice | systemd-logind.service | systemd-update-utmp-runlevel.service | amazon-ssm-agent.service | getty.target | getty@tty1.service | serial-getty@ttyS0.service | remote-fs.target | sshd.service | sssd.service | dnf-makecache.timer | cloud-init.target | cloud-config.service | cloud-init-local.service | cloud-final.service | cloud-init.service | fapolicyd.service | firewalld.service | systemd-ask-password-wall.path | NetworkManager.service | chronyd.service | rsyslog.service | crond.service | vmtoolsd.service | systemd-user-sessions.service | irqbalance.service | dbus.service | auditd.service |
systemd test
oval:ssg-test_multi_user_wants_chronyd_socket:tst:1
false
Following items have been found on the system:
| Unit | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency |
|---|
| multi-user.target | basic.target | sysinit.target | selinux-autorelabel-mark.service | systemd-ask-password-console.path | systemd-journald.service | sys-fs-fuse-connections.mount | systemd-udevd.service | systemd-binfmt.service | dev-hugepages.mount | loadmodules.service | swap.target | dev-mapper-vg0\x2dlv_swap.swap | systemd-journal-flush.service | systemd-machine-id-commit.service | systemd-update-done.service | sys-kernel-config.mount | dracut-shutdown.service | rngd.service | systemd-sysusers.service | lvm2-lvmpolld.socket | kmod-static-nodes.service | proc-sys-fs-binfmt_misc.automount | local-fs.target | -.mount | home.mount | tmp.mount | var-log-audit.mount | opt.mount | systemd-remount-fs.service | root.mount | var-log.mount | var-tmp.mount | var.mount | systemd-random-seed.service | systemd-update-utmp.service | dev-mqueue.mount | lvm2-monitor.service | import-state.service | systemd-firstboot.service | systemd-tmpfiles-setup-dev.service | systemd-tmpfiles-setup.service | systemd-sysctl.service | cryptsetup.target | systemd-modules-load.service | systemd-journal-catalog-update.service | nis-domainname.service | systemd-udev-trigger.service | ldconfig.service | sys-kernel-debug.mount | systemd-hwdb-update.service | paths.target | sockets.target | systemd-journald.socket | pcscd.socket | systemd-coredump.socket | dm-event.socket | systemd-journald-dev-log.socket | systemd-udevd-kernel.socket | systemd-initctl.socket | dbus.socket | systemd-udevd-control.socket | sssd-kcm.socket | timers.target | unbound-anchor.timer | systemd-tmpfiles-clean.timer | microcode.service | usbguard.service | slices.target | system.slice | -.slice | systemd-logind.service | systemd-update-utmp-runlevel.service | amazon-ssm-agent.service | getty.target | getty@tty1.service | serial-getty@ttyS0.service | remote-fs.target | sshd.service | sssd.service | dnf-makecache.timer | cloud-init.target | cloud-config.service | cloud-init-local.service | cloud-final.service | cloud-init.service | fapolicyd.service | firewalld.service | systemd-ask-password-wall.path | NetworkManager.service | chronyd.service | rsyslog.service | crond.service | vmtoolsd.service | systemd-user-sessions.service | irqbalance.service | dbus.service | auditd.service |
check if cmdport is 0 in /etc/chrony.conf
oval:ssg-test_chronyd_no_chronyc_network:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/chrony.conf | cmdport 0 |
Configure Time Service Maxpoll Intervalxccdf_org.ssgproject.content_rule_chronyd_or_ntpd_set_maxpoll mediumCCE-84059-5
Configure Time Service Maxpoll Interval
| Rule ID | xccdf_org.ssgproject.content_rule_chronyd_or_ntpd_set_maxpoll |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-chronyd_or_ntpd_set_maxpoll:def:1 |
| Time | 2021-08-12T02:38:28+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-84059-5 References:
1, 14, 15, 16, 3, 5, 6, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01, CCI-001891, CCI-002046, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, CM-6(a), AU-8(1)(b), PR.PT-1, SRG-OS-000355-GPOS-00143, SRG-OS-000356-GPOS-00144, RHEL-08-030740, SV-230484r599732_rule |
| Description | The maxpoll should be configured to
16 in /etc/ntp.conf or
/etc/chrony.conf to continuously poll time servers. To configure
maxpoll in /etc/ntp.conf or /etc/chrony.conf
add the following:
maxpoll 16 |
| Rationale | Inaccurate time stamps make it more difficult to correlate
events and can lead to an inaccurate analysis. Determining the correct
time a particular event occurred on a system is critical when conducting
forensic analysis and investigating system events. Sources outside the
configured acceptable allowance (drift) may be inaccurate. |
|
OVAL test results detailspackage ntp is installed
oval:ssg-test_service_ntpd_package_ntp_installed:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_test_service_ntpd_package_ntp_installed:obj:1 of type
rpminfo_object
Test that the ntpd service is running
oval:ssg-test_service_running_ntpd:tst:1
false
Following items have been found on the system:
| Unit | Property | Value |
|---|
| ntpd.service | ActiveState | inactive |
systemd test
oval:ssg-test_multi_user_wants_ntpd:tst:1
false
Following items have been found on the system:
| Unit | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency |
|---|
| multi-user.target | basic.target | sysinit.target | selinux-autorelabel-mark.service | systemd-ask-password-console.path | systemd-journald.service | sys-fs-fuse-connections.mount | systemd-udevd.service | systemd-binfmt.service | dev-hugepages.mount | loadmodules.service | swap.target | dev-mapper-vg0\x2dlv_swap.swap | systemd-journal-flush.service | systemd-machine-id-commit.service | systemd-update-done.service | sys-kernel-config.mount | dracut-shutdown.service | rngd.service | systemd-sysusers.service | lvm2-lvmpolld.socket | kmod-static-nodes.service | proc-sys-fs-binfmt_misc.automount | local-fs.target | -.mount | home.mount | tmp.mount | var-log-audit.mount | opt.mount | systemd-remount-fs.service | root.mount | var-log.mount | var-tmp.mount | var.mount | systemd-random-seed.service | systemd-update-utmp.service | dev-mqueue.mount | lvm2-monitor.service | import-state.service | systemd-firstboot.service | systemd-tmpfiles-setup-dev.service | systemd-tmpfiles-setup.service | systemd-sysctl.service | cryptsetup.target | systemd-modules-load.service | systemd-journal-catalog-update.service | nis-domainname.service | systemd-udev-trigger.service | ldconfig.service | sys-kernel-debug.mount | systemd-hwdb-update.service | paths.target | sockets.target | systemd-journald.socket | pcscd.socket | systemd-coredump.socket | dm-event.socket | systemd-journald-dev-log.socket | systemd-udevd-kernel.socket | systemd-initctl.socket | dbus.socket | systemd-udevd-control.socket | sssd-kcm.socket | timers.target | unbound-anchor.timer | systemd-tmpfiles-clean.timer | microcode.service | usbguard.service | slices.target | system.slice | -.slice | systemd-logind.service | systemd-update-utmp-runlevel.service | amazon-ssm-agent.service | getty.target | getty@tty1.service | serial-getty@ttyS0.service | remote-fs.target | sshd.service | sssd.service | dnf-makecache.timer | cloud-init.target | cloud-config.service | cloud-init-local.service | cloud-final.service | cloud-init.service | fapolicyd.service | firewalld.service | systemd-ask-password-wall.path | NetworkManager.service | chronyd.service | rsyslog.service | crond.service | vmtoolsd.service | systemd-user-sessions.service | irqbalance.service | dbus.service | auditd.service |
systemd test
oval:ssg-test_multi_user_wants_ntpd_socket:tst:1
false
Following items have been found on the system:
| Unit | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency |
|---|
| multi-user.target | basic.target | sysinit.target | selinux-autorelabel-mark.service | systemd-ask-password-console.path | systemd-journald.service | sys-fs-fuse-connections.mount | systemd-udevd.service | systemd-binfmt.service | dev-hugepages.mount | loadmodules.service | swap.target | dev-mapper-vg0\x2dlv_swap.swap | systemd-journal-flush.service | systemd-machine-id-commit.service | systemd-update-done.service | sys-kernel-config.mount | dracut-shutdown.service | rngd.service | systemd-sysusers.service | lvm2-lvmpolld.socket | kmod-static-nodes.service | proc-sys-fs-binfmt_misc.automount | local-fs.target | -.mount | home.mount | tmp.mount | var-log-audit.mount | opt.mount | systemd-remount-fs.service | root.mount | var-log.mount | var-tmp.mount | var.mount | systemd-random-seed.service | systemd-update-utmp.service | dev-mqueue.mount | lvm2-monitor.service | import-state.service | systemd-firstboot.service | systemd-tmpfiles-setup-dev.service | systemd-tmpfiles-setup.service | systemd-sysctl.service | cryptsetup.target | systemd-modules-load.service | systemd-journal-catalog-update.service | nis-domainname.service | systemd-udev-trigger.service | ldconfig.service | sys-kernel-debug.mount | systemd-hwdb-update.service | paths.target | sockets.target | systemd-journald.socket | pcscd.socket | systemd-coredump.socket | dm-event.socket | systemd-journald-dev-log.socket | systemd-udevd-kernel.socket | systemd-initctl.socket | dbus.socket | systemd-udevd-control.socket | sssd-kcm.socket | timers.target | unbound-anchor.timer | systemd-tmpfiles-clean.timer | microcode.service | usbguard.service | slices.target | system.slice | -.slice | systemd-logind.service | systemd-update-utmp-runlevel.service | amazon-ssm-agent.service | getty.target | getty@tty1.service | serial-getty@ttyS0.service | remote-fs.target | sshd.service | sssd.service | dnf-makecache.timer | cloud-init.target | cloud-config.service | cloud-init-local.service | cloud-final.service | cloud-init.service | fapolicyd.service | firewalld.service | systemd-ask-password-wall.path | NetworkManager.service | chronyd.service | rsyslog.service | crond.service | vmtoolsd.service | systemd-user-sessions.service | irqbalance.service | dbus.service | auditd.service |
check if maxpoll is set in /etc/ntp.conf
oval:ssg-test_ntp_set_maxpoll:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_ntp_set_maxpoll:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/ntp.conf | ^server[\s]+[\S]+.*maxpoll[\s]+(\d+) | 1 |
check if all server entries have maxpoll set in /etc/ntp.conf
oval:ssg-test_ntp_all_server_has_maxpoll:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_ntp_all_server_has_maxpoll:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/ntp.conf | ^server[\s]+[\S]+[\s]+(.*) | 1 |
package chrony is installed
oval:ssg-test_service_chronyd_package_chrony_installed:tst:1
true
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| chrony | x86_64 | (none) | 2.el8 | 3.5 | 0:3.5-2.el8 | 199e2f91fd431d51 | chrony-0:3.5-2.el8.x86_64 |
Test that the chronyd service is running
oval:ssg-test_service_running_chronyd:tst:1
true
Following items have been found on the system:
| Unit | Property | Value |
|---|
| chronyd.service | ActiveState | active |
systemd test
oval:ssg-test_multi_user_wants_chronyd:tst:1
true
Following items have been found on the system:
| Unit | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency |
|---|
| multi-user.target | basic.target | sysinit.target | selinux-autorelabel-mark.service | systemd-ask-password-console.path | systemd-journald.service | sys-fs-fuse-connections.mount | systemd-udevd.service | systemd-binfmt.service | dev-hugepages.mount | loadmodules.service | swap.target | dev-mapper-vg0\x2dlv_swap.swap | systemd-journal-flush.service | systemd-machine-id-commit.service | systemd-update-done.service | sys-kernel-config.mount | dracut-shutdown.service | rngd.service | systemd-sysusers.service | lvm2-lvmpolld.socket | kmod-static-nodes.service | proc-sys-fs-binfmt_misc.automount | local-fs.target | -.mount | home.mount | tmp.mount | var-log-audit.mount | opt.mount | systemd-remount-fs.service | root.mount | var-log.mount | var-tmp.mount | var.mount | systemd-random-seed.service | systemd-update-utmp.service | dev-mqueue.mount | lvm2-monitor.service | import-state.service | systemd-firstboot.service | systemd-tmpfiles-setup-dev.service | systemd-tmpfiles-setup.service | systemd-sysctl.service | cryptsetup.target | systemd-modules-load.service | systemd-journal-catalog-update.service | nis-domainname.service | systemd-udev-trigger.service | ldconfig.service | sys-kernel-debug.mount | systemd-hwdb-update.service | paths.target | sockets.target | systemd-journald.socket | pcscd.socket | systemd-coredump.socket | dm-event.socket | systemd-journald-dev-log.socket | systemd-udevd-kernel.socket | systemd-initctl.socket | dbus.socket | systemd-udevd-control.socket | sssd-kcm.socket | timers.target | unbound-anchor.timer | systemd-tmpfiles-clean.timer | microcode.service | usbguard.service | slices.target | system.slice | -.slice | systemd-logind.service | systemd-update-utmp-runlevel.service | amazon-ssm-agent.service | getty.target | getty@tty1.service | serial-getty@ttyS0.service | remote-fs.target | sshd.service | sssd.service | dnf-makecache.timer | cloud-init.target | cloud-config.service | cloud-init-local.service | cloud-final.service | cloud-init.service | fapolicyd.service | firewalld.service | systemd-ask-password-wall.path | NetworkManager.service | chronyd.service | rsyslog.service | crond.service | vmtoolsd.service | systemd-user-sessions.service | irqbalance.service | dbus.service | auditd.service |
systemd test
oval:ssg-test_multi_user_wants_chronyd_socket:tst:1
false
Following items have been found on the system:
| Unit | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency |
|---|
| multi-user.target | basic.target | sysinit.target | selinux-autorelabel-mark.service | systemd-ask-password-console.path | systemd-journald.service | sys-fs-fuse-connections.mount | systemd-udevd.service | systemd-binfmt.service | dev-hugepages.mount | loadmodules.service | swap.target | dev-mapper-vg0\x2dlv_swap.swap | systemd-journal-flush.service | systemd-machine-id-commit.service | systemd-update-done.service | sys-kernel-config.mount | dracut-shutdown.service | rngd.service | systemd-sysusers.service | lvm2-lvmpolld.socket | kmod-static-nodes.service | proc-sys-fs-binfmt_misc.automount | local-fs.target | -.mount | home.mount | tmp.mount | var-log-audit.mount | opt.mount | systemd-remount-fs.service | root.mount | var-log.mount | var-tmp.mount | var.mount | systemd-random-seed.service | systemd-update-utmp.service | dev-mqueue.mount | lvm2-monitor.service | import-state.service | systemd-firstboot.service | systemd-tmpfiles-setup-dev.service | systemd-tmpfiles-setup.service | systemd-sysctl.service | cryptsetup.target | systemd-modules-load.service | systemd-journal-catalog-update.service | nis-domainname.service | systemd-udev-trigger.service | ldconfig.service | sys-kernel-debug.mount | systemd-hwdb-update.service | paths.target | sockets.target | systemd-journald.socket | pcscd.socket | systemd-coredump.socket | dm-event.socket | systemd-journald-dev-log.socket | systemd-udevd-kernel.socket | systemd-initctl.socket | dbus.socket | systemd-udevd-control.socket | sssd-kcm.socket | timers.target | unbound-anchor.timer | systemd-tmpfiles-clean.timer | microcode.service | usbguard.service | slices.target | system.slice | -.slice | systemd-logind.service | systemd-update-utmp-runlevel.service | amazon-ssm-agent.service | getty.target | getty@tty1.service | serial-getty@ttyS0.service | remote-fs.target | sshd.service | sssd.service | dnf-makecache.timer | cloud-init.target | cloud-config.service | cloud-init-local.service | cloud-final.service | cloud-init.service | fapolicyd.service | firewalld.service | systemd-ask-password-wall.path | NetworkManager.service | chronyd.service | rsyslog.service | crond.service | vmtoolsd.service | systemd-user-sessions.service | irqbalance.service | dbus.service | auditd.service |
check if maxpoll is set in /etc/chrony.conf
oval:ssg-test_chrony_set_maxpoll:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_chrony_set_maxpoll:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/chrony.conf | ^server[\s]+[\S]+.*maxpoll[\s]+(\d+) | 1 |
check if all server entries have maxpoll set in /etc/chrony.conf
oval:ssg-test_chrony_all_server_has_maxpoll:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_chrony_all_server_has_maxpoll:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/chrony.conf | ^server[\s]+[\S]+[\s]+(.*) | 1 |
Mount Remote Filesystems with noexecxccdf_org.ssgproject.content_rule_mount_option_noexec_remote_filesystems mediumCCE-84050-4
Mount Remote Filesystems with noexec
| Rule ID | xccdf_org.ssgproject.content_rule_mount_option_noexec_remote_filesystems |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-mount_option_noexec_remote_filesystems:def:1 |
| Time | 2021-08-12T02:38:28+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-84050-4 References:
12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, CCI-000366, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, AC-6, AC-6(8), AC-6(10), CM-6(a), PR.AC-4, PR.DS-5, SRG-OS-000480-GPOS-00227, RHEL-08-010630, SV-230306r599732_rule |
| Description | Add the noexec option to the fourth column of /etc/fstab for the line which controls mounting of
any NFS mounts. |
| Rationale | The noexec mount option causes the system not to execute binary files. This option must be used
for mounting any file system not containing approved binary files as they may be incompatible. Executing
files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized
administrative access. |
OVAL test results detailsno nfs
oval:ssg-test_no_nfs_defined_etc_fstab_noexec:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_no_nfs_defined_etc_fstab_noexec:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/fstab | ^\s*\[?[\.\w-:]+\]?:[/\w-]+\s+[/\w-]+\s+nfs[4]?\s+.*$ | 0 |
all nfs has noexec
oval:ssg-test_nfs_noexec_etc_fstab:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_nfs_noexec_etc_fstab:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/fstab | ^\s*\[?[\.\w-:]+\]?:[/\w-]+\s+[/\w-]+\s+nfs[4]?\s+(.*)$ | 0 |
Mount Remote Filesystems with nosuidxccdf_org.ssgproject.content_rule_mount_option_nosuid_remote_filesystems mediumCCE-84053-8
Mount Remote Filesystems with nosuid
| Rule ID | xccdf_org.ssgproject.content_rule_mount_option_nosuid_remote_filesystems |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-mount_option_nosuid_remote_filesystems:def:1 |
| Time | 2021-08-12T02:38:28+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-84053-8 References:
12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, CCI-000366, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, AC-6, AC-6(1), CM6(a), PR.AC-4, PR.DS-5, SRG-OS-000480-GPOS-00227, RHEL-08-010650, SV-230308r599732_rule |
| Description | Add the nosuid option to the fourth column of /etc/fstab for the line which controls mounting of
any NFS mounts. |
| Rationale | NFS mounts should not present suid binaries to users. Only vendor-supplied suid executables
should be installed to their default location on the local filesystem. |
OVAL test results detailsno nfs
oval:ssg-test_no_nfs_defined_etc_fstab_nosuid:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_no_nfs_defined_etc_fstab_nosuid:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/fstab | ^\s*\[?[\.\w-:]+\]?:[/\w-]+\s+[/\w-]+\s+nfs[4]?\s+.*$ | 0 |
all nfs has nosuid
oval:ssg-test_nfs_nosuid_etc_fstab:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_nfs_nosuid_etc_fstab:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/fstab | ^\s*\[?[\.\w-:]+\]?:[/\w-]+\s+[/\w-]+\s+nfs[4]?\s+(.*)$ | 0 |
Mount Remote Filesystems with nodevxccdf_org.ssgproject.content_rule_mount_option_nodev_remote_filesystems mediumCCE-84052-0
Mount Remote Filesystems with nodev
| Rule ID | xccdf_org.ssgproject.content_rule_mount_option_nodev_remote_filesystems |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-mount_option_nodev_remote_filesystems:def:1 |
| Time | 2021-08-12T02:38:28+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers:
CCE-84052-0 References:
11, 13, 14, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS05.06, DSS06.06, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.11.2.9, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.8.2.1, A.8.2.2, A.8.2.3, A.8.3.1, A.8.3.3, A.9.1.2, CM-6(a), MP-2, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000480-GPOS-00227, RHEL-08-010640, SV-230307r599732_rule |
| Description | Add the nodev option to the fourth column of /etc/fstab for the line which controls mounting of
any NFS mounts. |
| Rationale | Legitimate device files should only exist in the /dev directory. NFS mounts
should not present device files to users. |
OVAL test results detailsno nfs
oval:ssg-test_no_nfs_defined_etc_fstab_nodev:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_no_nfs_defined_etc_fstab_nodev:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/fstab | ^\s*\[?[\.\w-:]+\]?:[/\w-]+\s+[/\w-]+\s+nfs[4]?\s+.*$ | 0 |
all nfs has nodev
oval:ssg-test_nfs_nodev_etc_fstab:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_nfs_nodev_etc_fstab:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/fstab | ^\s*\[?[\.\w-:]+\]?:[/\w-]+\s+[/\w-]+\s+nfs[4]?\s+(.*)$ | 0 |